PDA

View Full Version : Java Web Start / Sun JRE Sandbox Security Bypass Vulnerability

ronjor
June 14th, 2005, 11:24 AM
-{ Quote: "Highly critical" }-
Secunia (http://secunia.com/advisories/15671/)
MikeBCda
June 14th, 2005, 12:03 PM
If I'm reading that right, it was fixed in JRE 1.5 (or 5.0, their numbering confuses me) Update 2, which has been available many months now.
GlobalForce
June 14th, 2005, 12:06 PM
Good call Ron! 8) I've alway's had suspicion's about unauthorized applet start's.

GF ;)
ronjor
June 14th, 2005, 12:16 PM
-{ Quote: "If I'm reading that right, it was fixed in JRE 1.5 (or 5.0, their numbering confuses me) Update 2, which has been available many months now." }-

Their numbering system can get confusing. I'm using the 1.4.xxx versions.
diginsight
June 14th, 2005, 02:21 PM
I wonder why Sun keeps insisting pushing Java Web start with JRE, while I see no use for it and it has had it's load of vulnerabilities. The only way to remove the damn thing is by deleting the javaws folder.
snowieone
June 14th, 2005, 05:04 PM
THIS ISSUE WAS FIXED BUT IF YOU DISLIKE WEBSTART JUST>

To work around the described issue, disable Java Web Start applications from being launched from a web browser as follows:

For Internet Explorer:

Right click on the "Start" button and select "Explore"
In the "Start Menu" window, select "Tools" => "Folder Options"
From the "Folder Options" window, select the "File Types" tab
From the "Registered File Types" window, scroll down and locate the "JNLP - JNLP File"
Select the "JNLP - JNLP File" and click the "Delete" button
For Mozilla:

Select "Preferences" under the browser's "Edit" menu
In the "Preferences" window, select "Helper Applications" located under the "Navigator" category
Under "Files types", scroll down and locate "application/x-java-jnlp-file"
Select "application/x-java-jnlp-file" and click the "Remove" button
Notes:

1. On Microsoft Windows, applications may also be launched from the desktop icon or Start Menu if a shortcut was previously created for an application. Unknown applications should not be launched through the desktop icon or the Start Menu. Shortcuts can be removed by using the Java Web Start Application Manager through the "Application/Remove Shortcut" menu item.
diginsight
June 14th, 2005, 06:12 PM
Hi snowieone,

Thanks for this solution. It's much more elegant and scriptable than just deleting the entire javaws folder. I already discoverd how to remove the desktop icon using an installation script.

Now I still have to verify it doesn't recreate these keys after updating JRE.