Topic
  • 2 replies
  • Latest Post - ‏2010-10-23T05:43:16Z by SystemAdmin
fpercynski
fpercynski
1 Post

Pinned topic Need feedback on this Java security issue

‏2010-10-22T21:53:39Z |
I work in information security (and am not a Java developer). I am trying to determine if a program that "bundles" a very old version of Java presents a risk to the security of my organization. I will try to explain the best I can and appreciate any feedback.

Recently my company installed a product on every workstation that bundles its own version of Java. I say "bundles" because its not "installed" in the sense that I don't see it in Add/Remove Programs. The new software puts Java 5.0 in C:\Program Files\<vendor folder>\jre\bin\java.exe. AND it also puts Java 5.0 in C:\Windows\System32\<vendor folder>\jre\bin\java.exe. Yes version five dot zero is now on every computer in the company.

Our computers have JRE 6 Update 22 installed. I can see that in Add/Remove Programs. The vendor says their software will not use the version of Java that is actually "installed".

Java 5.0 is so outdated and no longer maintained (no security patches) that it probably has security risks, correct? My fear is a scenario where malware gets on the computer but doesn't have the privileges it needs, so it goes hunting for java.exe, finds the old version and exploits it to gain elevated privileges etc. The vendor has claimed their bundled version of Java is "sandboxed and isolated from use by other applications. The JRE is modified so that it is not able to be used in a browser or to launch java applets" but I don't trust the vendor.

What do you think? Is having v5 on the computer like this a big risk?

I may not have posted this in the correct forum - if so I apologize and would welcome suggestions as where to post this question.
Fred
Updated on 2010-10-23T05:43:16Z at 2010-10-23T05:43:16Z by SystemAdmin
  • saurabhsule82
    saurabhsule82
    12 Posts

    Re: Need feedback on this Java security issue

    ‏2010-10-23T03:48:25Z  
    Hi I have just recently started taking interest in the security domain, so I am very new and don't have the complete knowledge but I sure can share a few points here.

    Here is one lists that tells you about all the vulnerabilities in Sun JDK and JRE:

    http://www.us-cert.gov/cas/bulletins/SB09-313.html

    What interest me in this list is the vulnerability in the code for reading JPEG images. It says if a JRE is made to read a crafted image it can cause privilege escalation. This, as you say, can be a serious threat, but I still haven't found any sample image that can actually demonstrate this.

    I am really interested in actually seeing it work so that we have an idea of what kinda of risk were are looking at and how can some really exploit.
  • SystemAdmin
    SystemAdmin
    2262 Posts

    Re: Need feedback on this Java security issue

    ‏2010-10-23T05:43:16Z  
    It's common for Java based products to bundle their own JRE to prevent version incompatibility, and also to prune away the parts they don't require. Hence the claim about its inability to run applets, which you can handily test by looking for appletviewer.exe in the jre and running it with a sample applet from one of the JDK demos. This JRE won't interfere with the one installed on your system.
    As for Java 5.0 - IBM's version is still supported and will continue to be supported for quite a few more years to come. It is trivial for a desktop user to upgrade to the latest and greatest Java version, not so for large enterprise level projects, hence Java 5 is still very much in use and supported by both IBM and Sun/Oracle in terms of fixes and security patches.

    Your malware scenario is non existent. Firstly if malware has gotten onto the system there are any number of easier ways to spread, by attaching DLLs to the Windows Explorer process, or impersonating well known Windows system files or adding itself to the running services. Why should any malware take the trouble of screwing with java.exe?
    Java based malware are mainly in the form of browser exploits, and as such require specially crafted java code to run - in a browser, as an applet, or as an application downloaded via JNLP (this requires user interaction, and it's well known what morons people can be when it comes to computer security- clicking on anything that pops up without thinking)

    The bottom line is that you don't have to worry about these far fetched scenarios, and bundled Java runtimes pose no threat.