(Adding advisory information from @RISK: The Consensus Security Vulnerability Alert Vol. 9 No. 42)
(2) HIGH: Oracle Java Multiple Vulnerabilities
Affected:
JDK and JRE 6 Update 21 and earlier for Windows, Solaris, and Linux Java SE
JDK 5.0 Update 25 and earlier for Solaris Java SE
SDK 1.4.2_27 and earlier for Solaris Java SE
JDK and JRE 6 Update 21 and earlier for Windows, Solaris and Linux Java for Business
JDK and JRE 5.0 Update 25 and earlier for Windows, Solaris and Linux Java for Business
SDK and JRE 1.4.2_27 and earlier for Windows, Solaris and Linux Java for Business
Description: Oracle has recently released a critical update addressing
multiple security vulnerabilities. According to Oracle, the patch
addresses 29 vulnerabilities, 28 of which could lead to code execution.
Some of these vulnerabilities exist because of flaws in the low-level
implementation of the Java Runtime Environment (JRE). Although Java is
intended to be type safe, low-level code sometimes writes user-defined
strings to C buffers, giving an attacker the opportunity to overwrite
return addresses and execute code. Vulnerabilities like these allow Java
applets, which start without user interaction when a target navigates
to a malicious site, to execute with the permissions of the Java process
running them. Normally applets run with restricted privileges.
(Adding advisory information from @RISK: The Consensus Security Vulnerability Alert Vol. 9 No. 42)
(2) HIGH: Oracle Java Multiple Vulnerabilities
Affected:
JDK and JRE 6 Update 21 and earlier for Windows, Solaris, and Linux Java SE
JDK 5.0 Update 25 and earlier for Solaris Java SE
SDK 1.4.2_27 and earlier for Solaris Java SE
JDK and JRE 6 Update 21 and earlier for Windows, Solaris and Linux Java for Business
JDK and JRE 5.0 Update 25 and earlier for Windows, Solaris and Linux Java for Business
SDK and JRE 1.4.2_27 and earlier for Windows, Solaris and Linux Java for Business
Description: Oracle has recently released a critical update addressing
multiple security vulnerabilities. According to Oracle, the patch
addresses 29 vulnerabilities, 28 of which could lead to code execution.
Some of these vulnerabilities exist because of flaws in the low-level
implementation of the Java Runtime Environment (JRE). Although Java is
intended to be type safe, low-level code sometimes writes user-defined
strings to C buffers, giving an attacker the opportunity to overwrite
return addresses and execute code. Vulnerabilities like these allow Java
applets, which start without user interaction when a target navigates
to a malicious site, to execute with the permissions of the Java process
running them. Normally applets run with restricted privileges.
Status: vendor confirmed, updates available
References: www.oracle. com www.oracle. com/technetwork /topics/ security/ javacpuoct2010- 176258. html www.securityfoc us.com/ bid/36935 www.securityfoc us.com/ bid/40235 www.securityfoc us.com/ bid/43965 www.securityfoc us.com/ bid/43971 www.securityfoc us.com/ bid/43979 www.securityfoc us.com/ bid/43985 www.securityfoc us.com/ bid/43988 www.securityfoc us.com/ bid/43992 www.securityfoc us.com/ bid/43994 www.securityfoc us.com/ bid/43999 www.securityfoc us.com/ bid/44009 www.securityfoc us.com/ bid/44011 www.securityfoc us.com/ bid/44012 www.securityfoc us.com/ bid/44013 www.securityfoc us.com/ bid/44013 www.securityfoc us.com/ bid/44014 www.securityfoc us.com/ bid/44016 www.securityfoc us.com/ bid/44017 www.securityfoc us.com/ bid/44020 www.securityfoc us.com/ bid/44020 www.securityfoc us.com/ bid/44021 www.securityfoc us.com/ bid/44023 www.securityfoc us.com/ bid/44024 www.securityfoc us.com/ bid/44026 www.securityfoc us.com/ bid/44027 www.securityfoc us.com/ bid/44028 www.securityfoc us.com/ bid/44030 www.securityfoc us.com/ bid/44032 www.securityfoc us.com/ bid/44035 www.securityfoc us.com/ bid/44038 www.securityfoc us.com/ bid/44038 www.securityfoc us.com/ bid/44040 www.zerodayinit iative. com/advisories/ ZDI-10- 202/ www.zerodayinit iative. com/advisories/ ZDI-10- 203/ www.zerodayinit iative. com/advisories/ ZDI-10- 204/ www.zerodayinit iative. com/advisories/ ZDI-10- 205/ www.zerodayinit iative. com/advisories/ ZDI-10- 206/ www.zerodayinit iative. com/advisories/ ZDI-10- 207/ www.zerodayinit iative. com/advisories/ ZDI-10- 208/
Vendor Site
http://
Oracle Update Advisory - October 2010
http://
SecurityFocus Bugtraq IDs
http://
http://
http://
http://
http://
http://
http://
http://
http://
http://
http://
http://
http://
http://
http://
http://
http://
http://
http://
http://
http://
http://
http://
http://
http://
http://
http://
http://
http://
http://
http://
http://
Zero Day Initiative Advisories
http://
http://
http://
http://
http://
http://
http://