The flaws in the JRE that I know about are really not that high of a
risk. If you know something that I don't, please let me know. Here's
what I know, and you can tell me if that corresponds with what you know:
The remotely exploitable flaws in the JRE require two things in order to
be exploited:
1) You must be browsing malicious websites or installing malicious Java
apps
2) You must allow Java applets to run from your browser without warning
you
If you are fairly good about not browsing websites of questionable
character and are picky about the apps you install, then you should be
pretty safe. In addition to that, if you change your browser security
settings to not run Java applets without your approval (you really
should be doing this anyway), then you should be pretty darn safe.
If you know something that I don't know about the vulnerabilities that
exist in the JRE, then please let me know.
Here are the vulns that I know of that are covered by the above
information:
CVE X-Force
CVE-2002-0076 8480: java-vm-verifier-variant
11182:
sun-java-improper-validation
CAN-2002-1257 10713: java-bytecode-verifier-bypass
Matthew
=======================================================
Matthew Ward
Product Manager - Security Management
Phone 404 236 3995
email: [EMAIL PROTECTED]
Unofficial but sometimes helpful tips at
http://SiteProtector.blogspot.com
Internet Security Systems, Inc.
=======================================================
-----Original Message-----
From: [EMAIL PROTECTED] On Behalf Of Mark Teicher
Sent: Sunday, November 23, 2003 10:37 PM
To: Andrew Plato; [EMAIL PROTECTED]
Subject: Re: [ISSForum] Java Security Problems
Andrew,
ISS is not the only vendor that is affected by the latest JRE security
vulnerability. Other companies that compete with ISS have far more
serious
security issues with their use of JRE.
/m
At 07:12 PM 11/20/2003, Andrew Plato wrote:
>Is anybody aware of the Java security problems in JRE 1.4.1_xx? Is ISS
>planning to release a patch to make the console compatible with the JRE
>1.4.2?
>
>I have some customers who are NOT happy that there is NOTHING from ISS
>on the fact that the JRE 1.4.1 has a serious security problem and so
>far, no word from ISS on whether the console will be updated to support
>1.4.2 (which repairs the security vulnerability.)
>
>___________________________________
>Andrew Plato, CISSP
>President/Principal Consultant
>Anitian Enterprise Security
>
>503-644-5656 Office
>503-644-8574 Fax
>503-201-0821 Mobile
>www.anitian.com
>___________________________________
>
>_______________________________________________
>ISSForum mailing list
>[EMAIL PROTECTED]
>
>TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to
>https://atla-mm1.iss.net/mailman/listinfo
_______________________________________________
ISSForum mailing list
[EMAIL PROTECTED]
TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to
https://atla-mm1.iss.net/mailman/listinfo
_______________________________________________
ISSForum mailing list
[EMAIL PROTECTED]
TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to
https://atla-mm1.iss.net/mailman/listinfo
