|
|
Si vous voulez bloquer ce service sur vos fils RSS
Si vous voulez nous contacter ou nous proposer un fil RSS
Menu > Articles de la revue de presse : - l'ensemble [ tous | francophone] - par mots clé [ tous] - par site [ tous] - le tagwall [ voir] - Top bi-hebdo de la revue de presse [ Voir]
Présentation : Oracle has released a security update for Java. If you have Java installed and haven't updated your Java yet, do it now. I'll wait. No, really. I'm not going on until you do. ... OK, great. Now, I'm going to try something new and analyze the differences between Java 6 update 25 and Java 6 update 26. And we'll try to figure out what the underlying vulnerability might have been. For the comparison, I'll be using my rather stale open source project reJ rejava. You feed it two .jars and it does a binary comparison of each of the files in the .jar, and indicates which files are new, removed, or changed. It then allows you to open these changed files and it does another diff on method level, and yet another on the bytecode level of each changed method. It works OK, sometimes the algorithm consumes all the memory available, though. Let's get started File rt.jar the runtime - heart and soul of Java Package sun.util.resources TimeZoneNames TimeZoneNames_de TimeZoneNames_es TimeZoneNames_fr TimeZoneNames_it TimeZoneNames_pt_BR TimeZoneNames_sv These are not security related, just updating the time zone data. OK, I got curious. rej chokes on these files, because they're big. It seems the change is more or less the same as this http hg.openjdk.java.net jdk7 build jdk rev 55f97ad0a36e Namely the addition of America Metlakatla and America Sitka Package sun.misc Version Also not security related. Updated the version strings to update 26. Package sun.java2d.pipe DrawImage Not security related. The line numbers have changed, maybe a comment added to the code. I'm compaing the rt.jar from the JDK which has debugging information like source-code line number information included. Package javax.swing ImageIcon This is security related. But from a quick look, I can't figure out what the vulnerability is. The source for this class is available in the src.zip of the JDK for both versions. The ImageIcon has a static protected component field whose appContext field is set to null in a privileged block. In the new version this component is instantiated in another doPrivileged block which removes all it's permissions. Package java.security SignedObject This looks security related as well. Also available in the src.zip. SignedObject's readObject method has been updated. The update 25 version looked like this s.defaultReadObject content byte content.clone signature byte signature.clone and the update 26 looks like this java.io.ObjectInputStream.GetField fields s.readFields content byte fields.get content , null .clone signature byte fields.get signature , null .clone thealgorithm String fields.get thealgorithm , null This might be related to the problems of serialization I wrote about. In the old version you could deserialize a SignedObject and get a reference to it, and the internal byte arrays for content and signature and pause the deserialization process before the two fields were replaced by clone . Package java.net NetworkInterface This a fix to the NetworkInterface.toString method spilling out IP addresses, etc that I presented as an example of Trusted Method Chaining at the t2 infosec conference in 2010 and blogged about earlier this year. Kudos to Oracle for reading my blog. Now the toString method doesn't return IP addresses anymore. Package com.sun.xml.internal.messaging.saaj.client.p2p HttpSOAPConnection This is a fix to another slight issue I talked about at the t2 infosec conference, the HttpSOAPConnection class used to do HTTP requests that violated the same origin policy. That has been fixed. And as a bonus, this class used to set system proxy settings, which I hadn't mentioned anywhere, but which was on my TODO list. I guess I can remove it now. I didn't blog about that, so I guess that means Oracle also looked at my presentation slides. Nice. Package com.sun.org.apache.bcel.internal.classfile Utility OK, you guessed right. This fixes yet another issue I talked about at the t2 infosec conference, and blogged about here. That is, this class which seems to originate from the BCEL project, had some funky logic which lead to a System.exit , if instrumented in the right way. The System.exit has been removed. File plugin.jar as the name suggests, this has Java plugin specific stuff No changes. File resources.jar No changes. File jsse.jar Java Secure Socket Extension No changes. File jce.jar Java Cryptography extension No changes. File javaws.jar Java Web Start No changes. File deploy.jar Package com.sun.deploy.config Config There's a binary difference, but reJ doesn't detect any bytecode differences. I'm guessing this is another linenumber difference. Package com.sun.deploy.util JVMParameters SecurityBaseline URLUtil SecurityBaseline has version information which has been updated. JVMParameters has a change that has something to do with verifying if a Parameter is secure, but I can't figure out what's the net effect here. This seems to be clearly security related, but I can't figure out how severe. URLUtil has a change in the checkTargetURL method which that deals with jar and file URLs. This also seems to be clearly security related, but I can't figure out how severe. File charsets.jar No changes. File sunpkcs11.jar Package sun.security.pkcs11 Config ConfigurationException P11Cipher Secmod Config and Secmod seem to have real changes, but I'm not familiar enough with the pkcs packages to quickly assess what's going on. By my counts that means that the majority of the fixed issues are in the native side, which I won't be dealing with here.
Les derniers articles du site " Slightly Random Broken Thoughts" :
- Java 6 update 26 is out
- Inflated Java Malware Infection Rates
- Oracle Java Applet Clipboard Injection Remote Code Execution Vulnerability
- Java JFileChooser Programmatic Manipulation Vulnerability
- Trusted Method Chaining for Network Interface details
- Trusted Method Chaining to a System.exit
- Hazards of Duke
- Java 6 Update 22 is out
- Breaking Defensive Serialization
- Why Complex Powerful is a bad combination for security
Menu > Articles de la revue de presse : - l'ensemble [ tous | francophone] - par mots clé [ tous] - par site [ tous] - le tagwall [ voir] - Top bi-hebdo de la revue de presse [ Voir]
Si vous voulez bloquer ce service sur vos fils RSS :
- avec iptables "iptables -A INPUT -s 88.190.17.190 --dport 80 -j DROP"
- avec ipfw et wipfw "ipfw add deny from 88.190.17.190 to any 80"
- Nous contacter par mail
| Mini-Tagwall des articles publiés sur SecuObs : | | | | sécurité, exploit, windows, attaque, outil, microsoft, réseau, audit, metasploit, vulnérabilité, système, virus, internet, usbsploit, données, source, linux, protocol, présentation, scanne, réseaux, scanner, bluetooth, conférence, reverse, shell, meterpreter, vista, rootkit, détection, mobile, security, malicieux, engineering, téléphone, paquet, trames, https, noyau, utilisant, intel, wishmaster, google, sysun, libre |
| Mini-Tagwall de l'annuaire video : | | | | curit, security, biomet, metasploit, biometric, cking, password, windows, botnet, defcon, tutorial, crypt, xploit, exploit, lockpicking, linux, attack, wireshark, vmware, rootkit, conference, network, shmoocon, backtrack, virus, conficker, elcom, etter, elcomsoft, server, meterpreter, openvpn, ettercap, openbs, iphone, shell, openbsd, iptables, securitytube, deepsec, source, office, systm, openssh, radio |
| Mini-Tagwall des articles de la revue de presse : | | | | security, microsoft, windows, hacker, attack, network, vulnerability, google, exploit, malware, internet, remote, iphone, server, inject, patch, apple, twitter, mobile, virus, ebook, facebook, vulnérabilité, crypt, source, linux, password, intel, research, virtual, phish, access, tutorial, trojan, social, privacy, firefox, adobe, overflow, office, cisco, conficker, botnet, pirate, sécurité |
| Mini-Tagwall des Tweets de la revue Twitter : | | | | security, linux, botnet, attack, metasploit, cisco, defcon, phish, exploit, google, inject, server, firewall, network, twitter, vmware, windows, microsoft, compliance, vulnerability, python, engineering, source, kernel, crypt, social, overflow, nessus, crack, hacker, virus, iphone, patch, virtual, javascript, malware, conficker, pentest, research, email, password, adobe, apache, proxy, backtrack |
|
|
|
|
|
