An Untrusted Java Web Start Application or Java Applet May Move or Copy Arbitrary Files by Requesting the User to Drag and Drop a File from Application or Applet Window to a Desktop Application


Category :Security
Release Phase :Resolved
Product :Java 2 Platform, Standard Edition  
Bug Id :6590857  
Date of Workaround Release :03-OCT-2007 
Date of Resolved Release :22-OCT-2007 


Impact

A vulnerability in the Java Runtime Environment may allow an untrusted Java Web Start application or Java applet to move or copy arbitrary files on the system that the application or applet runs on, by requesting the user of the application or applet to drag a file from the application or applet window to a desktop application that has permissions to accept and write files on the system. To exploit this vulnerability, the application or applet has to successfully persuade the user to drag and drop the file.


Contributing Factors

This issue can occur in the following releases (for Windows, Solaris, and Linux):

  • JDK and JRE 6 Update 2 and earlier
  • JDK and JRE 5.0 Update 12 and earlier
  • SDK and JRE 1.4.2_15 and earlier
  • SDK and JRE 1.3.1_20 and earlier

To determine the default version of the JRE that Internet Explorer uses:

  1. Click "Tools" in the Menu Bar at the top of the browser
  2. Select "Sun Java Console"
  3. The first two lines in the console displays the version of Java Plug-in and JRE that Internet Explorer uses.

To determine the default version of the JRE that Mozilla or Firefox browsers use, visit the URL "about:plugins".

The browser will display a page called "Installed plug-ins" which lists the version of the Java Plug-in such as the following:

    Java(TM) Plug-in 1.5.0_11-b03

The above example indicates that the version of the JRE that the browser uses is 1.5.0_11.


Symptoms

There are no predictable symptoms that would indicate that the above issue is being exploited.


Workaround

To reduce the likelihood of executing untrusted applications which may allow this issue to be exploited, Java Web Start applications may be disabled temporarily (until the updates or patches have been installed) as follows:

For Internet Explorer (Windows):

  1. Right click on the "Start" button and select "Explore"
  2. In the "Start Menu" window, select "Tools" => "Folder Options"
  3. From the "Folder Options" window, select the "File Types" tab
  4. From the "Registered File Types" window, scroll down and locate the "JNLP - JNLP File"
  5. Select the "JNLP - JNLP File" and click the "Delete" button

For Mozilla:

  1. Select "Preferences" under the browser's "Edit" menu
  2. In the "Preferences" window, select "Helper Applications" located under the "Navigator" category
  3. Under "Files types", scroll down and locate "application/x-java-jnlp-file"
  4. Select "application/x-java-jnlp-file" and click the "Remove" button

Note 1: On Microsoft Windows, applications may also be launched from the desktop icon or Start Menu if a shortcut was previously created for an application. Unknown applications should not be launched through the desktop icon or the Start Menu. Shortcuts can be removed by using the Java Web Start Application Manager through the "Application/Remove Shortcut" menu item. For more information, see:

http://java.sun.com/j2se/1.5.0/docs/guide/javaws/developersguide/overview.html#jws

Note 2: It is also possible to launch applications through the command line in Windows, Solaris, and Linux. Unknown applications should not be launched through the command line. Sites may consider renaming the Java Web Start launcher ("javaws.exe" for Windows and "javaws" for Solaris and Linux) to prevent Java Web Start from launching.

The launcher can be found at:

Windows:

JDK and JRE 6:

  C:\Program Files\Java\jre1.6.0_03\bin\javaws.exe

JDK and JRE 5:

  C:\Program Files\Java\jre1.5.0_13\bin\javaws.exe

SDK and JRE 1.4.2:

  C:\Program Files\Java\j2re1.4.2_16\javaws\javaws.exe

Solaris (if installed using pkg):

  /usr/bin/javaws

Linux (if installed using rpm):

  /usr/java/jre1.5.0/bin/javaws


Resolution

This issue is addressed in the following releases (for Windows, Solaris, and Linux):

  • JDK and JRE 6 Update 3 or later
  • JDK and JRE 5.0 Update 13 or later
  • SDK and JRE 1.4.2_16 or later

This issue is addressed in the following release (for Solaris 8 and Windows):

  • SDK and JRE 1.3.1_21 or later

JDK and JRE 6 Update 3 is available for download at the following links:

http://java.sun.com/javase/downloads/index.jsp

http://java.com

JDK 6 Update 3 for Solaris is available in the following patches:

  • Java SE 6 update 3 (as delivered in patch 125136-04 or later)
  • Java SE 6 update 3 (as delivered in patch 125137-04 or later (64bit))
  • Java SE 6_x86 update 3 (as delivered in patch 125138-04 or later)
  • Java SE 6_x86 update 3 (as delivered in patch 125139-04 or later (64bit))

JDK and JRE 5.0 Update 13 is available for download at the following link:

http://java.sun.com/javase/downloads/index_jdk5.jsp

JDK 5.0 Update 13 for Solaris is available in the following patches:

  • J2SE 5.0 update 13 (as delivered in patch 118666-14)
  • J2SE 5.0 update 13 (as delivered in patch 118667-14 (64bit))
  • J2SE 5.0_x86 update 13 (as delivered in patch 118668-14)
  • J2SE 5.0_x86 update 13 (as delivered in patch 118669-14 (64bit))

SDK and JRE 1.4.2 is available for download at:

http://java.sun.com/j2se/1.4.2/download.html

SDK and JRE 1.3.1 for Solaris 8 is available for download at:

http://java.sun.com/j2se/1.3/download.html

SDK and JRE 1.3.1 have completed the Sun End of Life (EOL) process and is only supported for customers with Solaris 8 and Vintage Support Offering support contracts (see http://java.sun.com/j2se/1.3/download.html). Sun strongly recommends that users upgrade to the latest releases.

Note: When installing a new version of the product from a source other than a Solaris patch, it is recommended that the old affected versions be removed from your system. To remove old affected versions on the Windows platform please see:

http://java.com/en/download/help/uninstall_java.xml




Modification History


Date: 22-OCT-2007
  • Updated Resolution section
  • State: Resolved



Attachments
This solution has no attachment
 
Sun support customers:
more support information is available after you sign in.
 
»   Login
»   Register
»   Lost UserName/Password
 
Login Required

You must login and have a valid contract to access Sun's Premium content which includes:

  • Sun Alerts
  • Bugs
  • Patches
  • Solutions
  • White Papers
  • Documentation
  • Support Knowledge

Login Required

You must login and have a valid contract to access Sun's contracted features

Access Legend:

(Login to access)   Sun Contracted Content
(Login to access)   Sun Contracted Feature

Please make use of SunSolve Feedback application by selecting the floating [+] to provide feedback about this specific document.

Search
Article Details
Article ID : 200162
Article Type : Sun Alert
Last reviewed : 2007-10-22
Audience : PUBLIC
Keywords :
Provide feedback  (help)
Page Tools
»  Print This Page
»  Email This Article
»  Bookmark This Article
Security Support
»   Security Center
»   Report Security Vulnerabilities
»   Security PGP Key
»   Sun Alert Notifications - RSS Feeds
»   Sun Alert Notifications - eNewsletter
»   Solaris Fingerprint Database
 
SunSolve Navigation
»   Forums for contracted customers
»   Licenses
»   Log a Service Request
»   Patches and Updates
»   Product Download Center
»   SunSystem Handbook
»   SunSolve Japan
SunSolve Feedback, Help and Updates
»   Blog
»   Community
»   Feedback
»   Help
»   Learn about SunSolve
»   Twitter
About Oracle | Oracle and Sun | Oracle RSS Feeds | Subscribe | Careers | Contact Us | Site Maps | Legal Notices | Terms of Use | Your Privacy Rights | Copyright © 2010, Oracle Corporation and/or its affiliates | SunSolve Version 7.4.2 #1