Newsletters

Select newsletters below and click the button to sign up!

Boston News NY News
DC News Internet Daily
SiliconValley News
InternetNews Business Report




Become a Marketplace Partner


Partner With Us


Internetnews Bloggers

Recent Entries

Archives

August 2009
Sun Mon Tue Wed Thu Fri Sat
            1
2 3 4 5 6 7 8
9 10 11 12 13 14 15
16 17 18 19 20 21 22
23 24 25 26 27 28 29
30 31          

Monthly Archives

Search The Blog

Netstat -vat by Sean Michael Kerner (bio)

A command line view of IT



Sun updates Java for Microsoft flaw

By Sean Michael Kerner on August 6, 2009 12:50 PM
javasmall.jpg
From the 'have you updated yet?' files:

Sun is out this week with a significant security update for Java SE 6.  US-CERT warns that the Java vulnerabilities could potentially enable an attacker to execute arbitrary code or bypass authentication methods.

Technically speaking, the update is labeled update 15 (6u15) and is accompanied by no less than 7 seperate Sun security alerts:263408 , 263409 , 263428 , 263429 , 263488 , 263489 , and 264648.

Perhaps the most significant flaw patched by Sun in the Java update is detailed in alert 264648, which is directly related to the recent out of band updates from Microsoft.
"A security vulnerability in the Active Template Library (ATL) in various releases of Microsoft Visual Studio that is used by the Java Web Start ActiveX control may allow the Java Web Start ActiveX control to be leveraged to execute arbitrary code," Sun's advisory states. "This may occur as the result of a user of the Java Runtime Environment viewing a specially crafted web page that exploits this vulnerability."
It's interesting to see how many third party vendors were affected by the ATL issue. Adobe was also affected by the same issue.

When I was at Black Hat, IBM ISS researcher David Dewy explained why the ATL issue would likely affect many vendors beyond just Microsoft.
"It affects thousand of vulnerabilities across the Microsoft install base and innumerable binaries. Microsoft had the unenviable task of coordinating a vendor disclosure that actually affected thousand of third-party vendors -- anyone that has compiled an ActiveX control with Visual studio may have been at risk."
Beyond the Microsoft issue, Sun's Java update has a few other interesting issues that it fixes.

One particularly interesting issue in my opinion is Sun Alert 263408, which advices of a security flaw in Java's audio system. The issue that that a bug in the audio system could potentially enable and attacker to access a users system properties without authorization.

Alert 263428 , describes an integer overflow error, such that a malicious JPEG image could lead to a privilege escalation. Basically that means the attacker could potentially be able to get root access to a vulnerable machine.

| Comments (0) | TrackBacks (0) | Share

0 TrackBacks

Listed below are links to blogs that reference this entry: Sun updates Java for Microsoft flaw.

TrackBack URL for this entry: https://swarm.jupitermedia.com/mt-tb.cgi/8650

Leave a comment