Java Web Start / Sun JRE Sandbox Security Bypass Vulnerability

Discussion in 'other security issues & news' started by ronjor, Jun 14, 2005.

Thread Status:
Not open for further replies.
  1. ronjor
    Offline

    ronjor Global Moderator

    Secunia
  2. MikeBCda
    Offline

    MikeBCda Registered Member

    If I'm reading that right, it was fixed in JRE 1.5 (or 5.0, their numbering confuses me) Update 2, which has been available many months now.
  3. GlobalForce
    Offline

    GlobalForce Regular Poster

    Good call Ron! :cool: I've alway's had suspicion's about unauthorized applet start's.

    GF ;)
  4. ronjor
    Offline

    ronjor Global Moderator

    Their numbering system can get confusing. I'm using the 1.4.xxx versions.
  5. diginsight
    Offline

    diginsight Security Expert

    I wonder why Sun keeps insisting pushing Java Web start with JRE, while I see no use for it and it has had it's load of vulnerabilities. The only way to remove the damn thing is by deleting the javaws folder.
  6. snowieone
    Online

    snowieone Guest

    THIS ISSUE WAS FIXED BUT IF YOU DISLIKE WEBSTART JUST>

    To work around the described issue, disable Java Web Start applications from being launched from a web browser as follows:

    For Internet Explorer:

    Right click on the "Start" button and select "Explore"
    In the "Start Menu" window, select "Tools" => "Folder Options"
    From the "Folder Options" window, select the "File Types" tab
    From the "Registered File Types" window, scroll down and locate the "JNLP - JNLP File"
    Select the "JNLP - JNLP File" and click the "Delete" button
    For Mozilla:

    Select "Preferences" under the browser's "Edit" menu
    In the "Preferences" window, select "Helper Applications" located under the "Navigator" category
    Under "Files types", scroll down and locate "application/x-java-jnlp-file"
    Select "application/x-java-jnlp-file" and click the "Remove" button
    Notes:

    1. On Microsoft Windows, applications may also be launched from the desktop icon or Start Menu if a shortcut was previously created for an application. Unknown applications should not be launched through the desktop icon or the Start Menu. Shortcuts can be removed by using the Java Web Start Application Manager through the "Application/Remove Shortcut" menu item.
  7. diginsight
    Offline

    diginsight Security Expert

    Hi snowieone,

    Thanks for this solution. It's much more elegant and scriptable than just deleting the entire javaws folder. I already discoverd how to remove the desktop icon using an installation script.

    Now I still have to verify it doesn't recreate these keys after updating JRE.
Thread Status:
Not open for further replies.