Release mode: Coordinated.
Ref : TZO-122009- SUN Java remote code execution
Vendor : http://www.sun.com

Disclosure Policy :
http://blog.zoller.lu/2008/09/notification-and-disclosure-policy.html


Affected Products:
- JVM Version 6 Update 1
- JVM Version 6 Update 2

I. Background
Dictionary.com : "The Java Virtual Machine (JVM) is software that converts the Java intermediate language (bytecode) into machine language and executes it. The original JVM came from the JavaSoft division of Sun. Subsequently, other vendors developed their own; for example, the Microsoft Virtual Machine is Microsoft's Java interpreter. A JVM is incorporated into a Web browser in order to execute Java applets. A JVM is also installed in a Web server to execute server-side Java programs. A JVM can also be installed in a client machine to run stand-alone Java applications."

II. Description
Please understand that no details will be given, too many bad guys would use it for drive-by attacks. At this point in time (old + fixed) there is really no need to.


III. Impact
Memory corruption due to a write attempt to a user controlable offset. i.e exploitable. The Java VM is reachable through every major browser.


IV. Disclosure timeline

  • 19/11/2008 : Send proof of concept, description to Microsoft (sic), as bug was triggered through IE.
  • 20/11/2008 : Microsoft asks for clarification
  • 21/11/2008 : Clarification sent.
  • 12/12/2008 : Microsoft replicated the memory corruption in Version 6 update 1 and recommends getting in contact with SUN

  • 12/12/2008 : Send proof of concept and description to SUN

  • 16/12/2008 : Sun acknwoledges receipt. PGP keys are exchanged.

  • 13/01/2009 : Asked for update from SUN

  • 17/01/2009 : Asked for update and indicate this is the last request prior to release if no answer is given.

  • 12/03/2009 : SUN asks for more specific details

  • 12/03/2009 : Details given

  • 24/04/2009 : Notify SUN that I am drafting the advisory and would require feedback and details

  • 24/04/2009 : SUN asks for a copy of the advisory and explains the engineering team is still working on the case

  • 07/04/2009 : Asks SUN for an update

  • 08/04/2009 : Sun responds that the team is still working on the case

  • 20/04/2009 : Asking for an update and details

  • 20/04/2009 : SUN responds that the engineers could not reproduce in Update 11 and 12

  • 20/04/2009 : I test the new updates and can no longer reproduce the issue

  • 22/04/2009 : Release of this advisory

1 comments

Anonymous said... @ 23 April, 2009 20:35

March or April?

Post a Comment