-- Corsaire Security Advisory --

Title: Sun J2RE DoS issue
Date: 05.09.06
Application: Sun JRE 5.0 prior to update 14
Environment: Sun JRE
Author: Martin O'Neal [martin.oneal@corsaire.com]
Audience: General distribution
Reference: c060905-002


-- Scope --

The aim of this document is to clearly define an issue that exists with 
the Sun JRE product [1] that will allow an attacker to cause the JRE and 
Internet Explorer to fail, possibly losing unsaved work etc.


-- History --

Discovered: 05.09.06 (Martin O'Neal)
Vendor notified: 09.11.06
Additional analysis: (Kevin O'Reilly)
Document released: 08.01.08


-- Overview --

Sun JRE is described [1] as "the Java APIs, Java Virtual Machine 
(HotSpot VM), and other components necessary to run applets and 
applications written in the Java programming language".
 
The software provides a virtualisation layer that allows java 
applications to be run across platforms and operating systems.  These 
java applications can be delivered to the JVM via a number of 
mechanisms, and are commonly downloaded from a web server or less 
commonly, can be embedded within HTML content.


-- Analysis --

The RFC2397 [2] standard allows for the encoding of java applets within 
a URI, allowing it to be embedded in an HTML document.  

If an applet is encoded into the data parameter of an object tag with an 
undefined "name" attribute, and is then passed to Internet Explorer, 
then when the application is unencoded and passed in turn to the JVM it 
causes a null pointer exception to occur in jpiexp32.dll. 


-- Recommendations --

Upgrade to a version of the Sun JRE product that does not exhibit this 
issue (such as Sun JRE 6.0 or JRE 5.0 update 14), and uninstall all 
effected versions.  This is important, as it is possible for an attacker 
to specify which local VM will be used to run an applet (and so select a 
vulnerable version).


-- CVE --

The Common Vulnerabilities and Exposures (CVE) project has assigned the 
name CVE-2007-0012 to this issue.  This is a candidate for inclusion in 
the CVE list (http://cve.mitre.org), which standardises names for 
security problems.


-- References --

[1] http://java.sun.com/javase/
[2] http://www.ietf.org/rfc/rfc2397

This bug is tracked by Sun as 6511363.


-- Revision --

a. Initial release.


-- Distribution --

The information contained within this advisory is supplied "as-is" with 
no warranties or guarantees of fitness of use or otherwise. Corsaire 
accepts no responsibility for any damage caused by the use or misuse of 
this information.


-- Disclaimer --

The information contained within this advisory is supplied "as-is" with 
no warranties or guarantees of fitness of use or otherwise. Corsaire 
accepts no responsibility for any damage caused by the use or misuse of 
this information.


-- About Corsaire --

Corsaire are a leading information security consultancy, founded in 1997 
in Guildford, Surrey, UK. Corsaire bring innovation, integrity and 
analytical rigour to every job, which means fast and dramatic security 
performance improvements. Our services centre on the delivery of 
information security planning, assessment, implementation, management 
and vulnerability research. 

A free guide to selecting a security assessment supplier is available at 
http://www.penetration-testing.com 


Copyright 2006 Corsaire Limited. All rights reserved.