=====================================================================
                                    CERT-Renater

                         Note d'Information No. 2007/VULN219
_____________________________________________________________________

DATE                      : 02/05/2007

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running Sun Java Web Start.

======================================================================

Sun(sm) Alert Notification
      * Sun Alert ID: 102881
      * Synopsis: Security Vulnerability With Java Web Start Related to
        Incorrect Use of System Classes
      * Category: Security
      * Product: Java 2 Platform, Standard Edition
      * BugIDs: 6461918
      * Avoidance: Patch, Upgrade
      * State: Resolved
      * Date Released: 30-Apr-2007
      * Date Closed: 30-Apr-2007
      * Date Modified:

1. Impact

    A security vulnerability in Java Web Start may allow an untrusted
    application to elevate its privileges. For example, an application may
    grant itself permissions to read and write local files that are
    accessible to the user running the Java Web Start application.

    Sun acknowledges, with thanks, the Fujitsu security team, for bringing
    this issue to our attention.

2. Contributing Factors

    This issue can occur in the following releases:
      * Java Web Start in JDK and JRE 5.0 Update 10 and earlier for
        Windows, Solaris and Linux
      * Java Web Start in SDK and JRE 1.4.2_13 and earlier for Windows,
        Solaris and Linux

    To determine the version of Java installed on a system, the following
    command can be used:
     % java -fullversion
     java full version "1.5.0_02-b09"


3. Symptoms

    There are no reliable symptoms that would show the described issue has
    been exploited.

4. Relief/Workaround

    To workaround this issue, users should avoid using Java Web Start with
    untrusted applications, and may also wish to temporarily disable the
    use of Java Web Start.

    To disable Java Web Start applications from being automatically
    launched from a web browser, the following steps can be performed:

    For Internet Explorer:
     1. Right click on the "Start" button and select "Explore"
     2. In the "Start Menu" window, select "Tools" => "Folder Options"
     3. From the "Folder Options" window, select the "File Types" tab
     4. From the "Registered File Types" window, scroll down and locate
        the "JNL - JNLP File"
     5. Select the "JNLP - JNLP File" and click the "Delete" button

    For Mozilla:
     1. Select "Preferences" under the browser's "Edit" menu
     2. In the "Preferences" window, select "Helper Applications" located
        under the "Navigator" category
     3. Under "Files types", scroll down and locate
        "application/x-java-jnlp-file"
     4. Select "application/x-java-jnlp-file" and click the "Remove"
        button

    Note 1: On Microsoft Windows, applications may also be launched from
    the desktop icon or Start Menu if a shortcut was previously created
    for an application. Unknown applications should not be launched
    through the desktop icon or the Start Menu. Shortcuts can be removed
    by using the Java Web Start Application Manager through the
    "Application/Remove Shortcut" menu item.

    For more information, see:
      * http://java.sun.com/j2se/1.5.0/docs/guide/javaws/developersguid
        e/overview.html#jws

    Note 2: It is also possible to launch applications through the command
    line in Windows, Solaris, and Linux. Unknown applications should not
    be launched through the command line. Sites may consider renaming the
    Java Web Start launcher ("javaws.exe" for Windows and "javaws" for
    Solaris and Linux) to prevent Java Web Start from launching.

    The launcher can be found at:

    Windows:
     C:\Program Files\java\j2re1.5.0\javaws\javaws.exe

    Solaris (if installed using pkg):
     /usr/bin/javaws

    Linux (if installed using rpm):
     /usr/java/jre1.5.0/bin/javaws


5. Resolution

    This issue is addressed in the following releases:
      * Java Web Start in JDK and JRE 5.0 Update 11 or later
      * Java Web Start in SDK and JRE 1.4.2_14 or later

    J2SE 5.0 is available for download at the following links:
      * http://java.sun.com/j2se/1.5.0/download.jsp

    J2SE 5.0 Update 11 for Solaris is available in the following patches:
      * J2SE 5.0: update 11 (as delivered in patch 118666-11 or later)
      * J2SE 5.0: update 11 (as delivered in patch 118667-11 or
        later (64bit))
      * J2SE 5.0_x86: update 11 (as delivered in patch 118668-11 or later)
      * J2SE 5.0_x86: update 11 (as delivered in patch 118669-11 or
        later (64bit))

    J2SE 1.4.2 is available for download at the following link:
      * http://java.sun.com/j2se/1.4.2/download.html

    Note: It is recommended that affected versions be removed from your
    system. For more information, please see the installation notes on the
    respective java.sun.com download page and the following for the
    Windows platform:
      * http://java.com/en/download/help/uninstall_java.xml

    This Sun Alert notification is being provided to you on an "AS IS"
    basis. This Sun Alert notification may contain information provided by
    third parties. The issues described in this Sun Alert notification may
    or may not impact your system(s). Sun makes no representations,
    warranties, or guarantees as to the information contained herein. ANY
    AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION
    WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR
    NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT
    YOU ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT,
    INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE
    OUT OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN.
    This Sun Alert notification contains Sun proprietary and confidential
    information. It is being provided to you pursuant to the provisions of
    your agreement to purchase services from Sun, or, if you do not have
    such an agreement, the Sun.com Terms of Use. This Sun Alert
    notification may only be used for the purposes contemplated by these
    agreements.

    Copyright 2000-2006 Sun Microsystems, Inc., 4150 Network Circle, Santa
    Clara, CA 95054 U.S.A. All rights reserved

======================================================================

           =========================================================
           Les serveurs de référence du CERT-Renater
           http://www.urec.fr/securite
           http://www.cru.fr/securite
           http://www.renater.fr
           =========================================================
           + CERT-RENATER          | tel : 01-53-94-20-44          +
           + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
           + 75013 Paris           | email: certsvp@renater.fr     +
           =========================================================