Login   |   Secure Purdue > News

Java Zero-Day Patched

STEAM-ADVISORY NO. 2010041601
PURDUE UNIVERSITY SECURITY TEAM CIRT
Friday, April 16 2:30:00 EDT 2010

==OVERVIEW==

Sun Java vulnerability caused by an input handling error that can be exploited to execute Java based programs has been reported.
NOTE: Patch Available  

==SYSTEMS AFFECTED==

 * Sun Java JDK 1.6x
 * Sun Java JRE 1.6x/6x

==DETAILS==

 * Impact: Systems access
 * Where:  From Remote

Java Deployment Toolkit allows developers to provide their toolkits to end users by pointing them to URL strings.  Improper input validation of the URL parameters are then passed to the javaws utility.  This can be exploited to allow for execution of arbitrary code.  Exploitation requires a user to be tricked into visiting a malicious web page.

==SOLUTIONS==

 * Update JRE/JDK to 6u20

==FURTHER INFORMATION AND RESOURCES==

Sun Developer Network
java.sun.com/javase/6/webnotes/6u20.html
Secunia
secunia.com/advisories/39260
ComputerWorld
w w w .computerworld.com/s/article/9175597/Oracle_issues_emergency_Java_patch_to_stop_zero_day_attacks
(remove spaces from links)

==STEAM-CIRT CONTACT INFORMATION==

For questions concerning this advisory, please send email to:
itap-securityhelp@purdue.edu.

Report computer-related abuse to steam-cirt:
w w w .purdue.edu/securePurdue/incidentReportForm.cfm
w w w .purdue.edu/securepurdue/steam
(remove spaces from links)

Posted by Brad Graves on April 16, 2010, in Advisory Alerts.