VU#636312: Oracle Java JRE 1.7 sun.awt.SunToolkit fails to restrict access to privileged code
Vulnerability Note VU#636312
Oracle Java JRE 1.7 sun.awt.SunToolkit fails to restrict access to privileged code
Original Release date: 27 Aug 2012 | Last revised: 28 Aug 2012
Oracle Java Runtime Environment (JRE) 1.7 contains a vulnerability that may allow an applet to call setSecurityManager in a way that allows setting of arbitrary permissions.
The Oracle Java Runtime Environment (JRE) 1.7 allows users to run Java applications in a browser or as standalone programs. Oracle has made the JRE available for multiple operating systems.
The Java JRE plug-in provides its own Security Manager. Typically, a web applet runs with a security manager provided by the browser or Java Web Start plugin. Oracle’s document states, “If there is a security manager already installed, this method first calls the security manager’s checkPermission method with a RuntimePermission("setSecurityManager")permission to ensure it’s safe to replace the existing security manager. This may result in throwing a SecurityException".
Oracle Java 1.7 provides via sun.awt.SunToolkit a public getField() function, which operates inside of a doPrivileged block. This function also uses the reflection method setAccessible() to make the field accessible, even if it were protected or private. Because sun.awt.SunToolkit is public, it can be called from anywhere.
By leveraging the public, privileged getField() function, an untrusted Java applet can escalate its privileges by calling the the setSecurityManager() function to allow full privileges, without requiring code signing.
This vulnerability occurred as the result of failing to comply with the following CERT Oracle Secure Coding Standard for Java rules:
This vulnerability is being actively exploited in the wild, and exploit code is publicly available.
By convincing a user to visit a specially crafted HTML document, a remote attacker may be able to execute arbitrary code on a vulnerable system.
We are currently unaware of a practical solution to this problem.
Disable the Java plug-in
Disabling the Java browser plugin may prevent a malicious webpage from exploiting this vulnerability.
Using the Mozilla Firefox NoScript extension to whitelist web sites that can run scripts and access installed plugins will mitigate this vulnerability. See the NoScript FAQ for more information.
Vendor Information (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Oracle Corporation||Affected||–||27 Aug 2012|
If you are a vendor and your product is affected, let
CVSS Metrics (Learn More)
This document was written by Will Dormann, Fred Long, and Michael Orlando.
27 Aug 2012
Date First Published:
27 Aug 2012
Date Last Updated:
28 Aug 2012
If you have feedback, comments, or additional information about this vulnerability, please send us email.
This product is provided subject to the Notification as indicated here: http://www.us-cert.gov/legal.html#notify
The original article/video can be found at VU#636312: Oracle Java JRE 1.7 sun.awt.SunToolkit fails to restrict access to privileged code