United States
Web App Attacks: Sneaking in the Front Door
WatchGuard Technologies, Inc.
WatchGuard Technologies, Inc.
ProductsPartnersSupportAbout UsHow to BuySearchProfile
 
Products  

Security Articles

Video Tutorials

WatchGuard Feeds

WatchGuard Wire

Radio Free Security

White Papers

Case Studies

Network Security Glossary

WatchGuard Wire
Improve Your Security IQ

Sun Java plug-in plugs hackers into your PC

Recently, iDEFENSE released an advisory describing a new vulnerability in Sun's Java plugin, Java Runtime Environment (JRE) v1.4.2_05. Originally discovered by Jouko Pynnonen, the vulnerability grants attackers the ability to escape Java's sandbox and allows them to upload, download, or execute code on a victim's system. In order to trigger this flaw, the attacker first has to entice one of your users into visiting a malicious Web site containing a specially-crafted Java applet. Pynnonen confirmed that this flaw affects both Windows and Unix machines running Sun JRE, regardless of what Web browser you use. Furthermore, this flaw could theoretically affect any machine running the vulnerable versions of Sun's JRE, regardless of its operating system. In short, if your users visit the wrong site using Sun JRE, an attacker could gain control of their PC.

As worrying as this type of cross-platform flaw sounds, most Windows users who browse with Internet Explorer (IE) can breathe a sigh of relief. In the past, Windows has shipped with Microsoft's own Java interpreter, called Java Virtual Machine (MSJVM). Most Windows users who browse with IE aren't vulnerable to this flaw since IE uses MSJVM to interpret any Java applets it encounters. However, because of a recent legal conflict with Sun, Microsoft has had to discontinue the use of MSJVM in their most recent versions of Windows. For instance, MSJVM doesn't ship with Windows Server 2003 or the Windows XP installer that prepackages SP1a or SP2 (XP users who upgraded to SP1 or SP2 on their own do retain MSJVM). If you use one of these newer Windows releases you have to download your own Java interpreter, in which case, you probably have Sun JRE.

If you're unsure what your version of IE uses to interpret Java, you can find out. In IE, click on Tools => Internet Options => Advanced tab. Scroll down to the Microsoft VM section and check, "Java console enabled." Restart IE and then click View => Java Console. A window should open that displays the name of the Java interpreter IE uses and its version number. As long as you're not using Sun JRE v1.4.2_05 or an earlier version, the vulnerability doesn't affect you. If you use any other Web browser besides IE, you almost certainly use Sun JRE, in which case, you should download version 1.4.2_06 to fix this issue. -- Corey Nachreiner

Copyright© 2010 WatchGuard® Technologies, Inc. You may copy and distribute this article freely in any medium as long as you copy and distribute the entire article without change and preserve this copyright statement and notice.