JDK and JRE 6 Update 13:
JDK and JRE 5.0 Update 18:
Java SE for Business SDK and JRE 1.4.2_20:
http://www.sun.com/software/javaseforbu ... wnload.jsp
SDK and JRE 1.3.1_25 (for customers with Solaris 8 and Vintage Support Offering support contracts):
Re: New version de Java
Message par doc pc le 03 Nov 2009 23:54
Nouvelle version de java (6 Update 17)
http://www.java.com/fr/download/windows ... w.java.com
The vulnerability is caused due to an input sanitation error in the Java Deployment Toolkit browser plugin. This can be exploited to pass arbitrary arguments to javaw.exe and e.g. execute a JAR file placed on a network share in a privileged context.
Basically, a call to CreateProcessA() is issued by the Java Deployment Toolkit without sanitising command line arguments. This further allows injecting arbitrary JVM arguments and execute code in a privileged context, leading to a complete system compromise when visiting a web site.
Internet Explorer users can be protected by temporarily setting the killbit on CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA. To the best of my knowledge, the deployment toolkit is not in widespread usage and is unlikely to impact end users.
Mozilla Firefox and other NPAPI based browser users can be protected using File System ACLs to prevent access to npdeploytk.dll. These ACLs can also be managed via GPO.
Utilisateurs parcourant ce forum: Aucun utilisateur enregistré et 0 invités