Virtualization Technology News and Information
Code can be injected into Sun's Java Virtual Machine from GIFs

An error in Sun's Java Virtual Machine can be exploited to inject code onto a system and execute it by means of specially prepared GIF images. The Zero Day Initiative (ZDI) says that a GIF image with the width field of an image block set to zero provokes an overflow due to insufficiently allocated memory, creating a number of flawed pointers. At least one of them could be exploited to manipulate specific parts of memory according to the security advisory. In addition, an untrustworthy applet can increase its privileges to gain access to all of a system's resources. However, users first have to visit a malicious website to be attacked. On the other hand, attackers can often easily get victims to do so by sending them an apparently interesting link via e-mail.

JDK and JRE 5.0 update 9 and previous versions, SDK and JRE 1.4.2_12 and previous versions, and SDK and JRE 1.3.1_18 and previous versions are affected on Windows, Solaris, and Linux. The flaws have been remedied in JDK/JRE 5.0 Update 10, SDK/JRE 1.4.2_13, and SDK/JRE 1.3.1_19, which have been available since the end of December. Keep in mind, however, that Java updates generally install a completely new version without deleting the previous one. Users therefore have to uninstall manually any vulnerable old versions.

Read original, here.

Published Thursday, January 18, 2007 5:58 PM by David Marshall
Filed under:
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<January 2007>