Vulnerability Note VU#223028

Sun Java WebStart stack buffer overflow

Original Release date: 06 Mar 2008 | Last revised: 07 Mar 2008

Overview

Sun Java WebStart contains a stack buffer overflow, which can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.

Description

Sun Java WebStart is a technology for launching stand-alone Java applications. On Microsoft Windows systems, Java WebStart is provided by the program javaws.exe, which is included with the Sun Java Runtime Environment (JRE). Java WebStart operates by processing a JNLP file, which is an XML document that contains information about the Java application to execute. The Sun JRE installer configures Internet Explorer and Netscape Navigator to automatically open JNLP files without any user interaction.

Java WebStart contains a stack buffer overflow in the handling of JNLP files. This vulnerability can be exploited to execute arbitrary code as the result of opening a specially-crafted JNLP file, which can occur as the result of viewing a malicious web site. We have received reports that this vulnerability is being actively exploited.

Impact

By convincing a user to open a specially-crafted JNLP file, a remote, unauthenticated attacker may be able to execute arbitrary code on a vulnerable system. This may occur as the result of viewing a specially-crafted web page.

Solution

Apply an update
This issue is addressed in the following Java versions:

  • JDK and JRE 6 Update 5
  • JDK and JRE 5.0 Update 15
  • SDK and JRE 1.4.2_17
Please see Sun Alert 233327 for more details and additional workarounds.


Delete the Windows file association for JNLP files
The file association for JNLP files on windows systems can be removed by deleting the following registry keys:

    HKLM\Software\Classes\.jnlp
    HKLM\Software\Classes\MIME\Database\Content Type\application/x-java-jnlp-file
    HKLM\Software\Classes\JNLPfile
Disable the Java WebStart ActiveX control in Internet Explorer
The Java WebStart ActiveX control can be disabled in Internet Explorer by setting the kill bit for the following CLSID:
    {5852F5ED-8BF4-11D4-A245-0080C6F74284}
More information about how to set the kill bit is available in Microsoft Support Document 240797. Alternatively, the following text can be saved as a .REG file and imported to set the kill bit for this control:
    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{5852F5ED-8BF4-11D4-A245-0080C6F74284}]
    "Compatibility Flags"=dword:00000400

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
Sun Microsystems, Inc.Affected01 Feb 200806 Mar 2008
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

This document was written by Will Dormann.

Other Information

  • CVE IDs: CVE-2008-1196
  • Date Public: 06 Mar 2008
  • Date First Published: 06 Mar 2008
  • Date Last Updated: 07 Mar 2008
  • Severity Metric: 27.70
  • Document Revision: 25

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.