Java Web Start vulnerability question
Hello,
I am very new to the Java world and am trying to determine a couple of things I hope you might help me with.
We were recently advised of a security issue with Java Web Start (http://sunsolve.sun.com/search/document.do?assetkey=1-26-102957-1). I ran a query for installations of javaws.exe, which produced a wide range of results. Our default here is JRE 6 but there are certain applications which install older versions of the javaws.exe file for various functions (that is, most all systems have JRE 6 but some have older versions of javaws.exe as well).
My two questions are:
1. Does the presence of older javaws.exe files on a system that is up-to-date with JRE 6 (which includes its own version of javaws.exe) mean a system is vulnerable? My thought is that if the javaws file is present it can be used to execute untrusted apps.
2. Can those older individual javaws.exe files be updated in some fashion (without installing the full older JRE) to prevent exploitation? Granted, we'd need to contact the vendors of the apps which installed those older versions to ensure no product functionality problems occur.
I hope I haven't confused the issues/terms too much - just trying to get a handle on what the Java Web Start does and how we can mitigate the vulnerability with those older file versions.
Thanks very much for your help!
cheers /td
[1410 byte] By [
tdigiteea] at [2007-11-27 10:15:47]
> 1. Does the presence of older javaws.exe files on a
> system that is up-to-date with JRE 6 (which includes
> its own version of javaws.exe) mean a system is
> vulnerable? My thought is that if the javaws file is
> present it can be used to execute untrusted apps.
Only if the older javaws.exe is used to run said untrusted apps. Generally, once you've installed the newer version, that is the one registered to be used when launching a webstart app. However, the question is, is the flaw in the JRE or javaws.exe itself? Cuz in WebStart apps, I believe you can say the app should run in version x.y.z.. But I'm not sure of the practical affect of this.
> 2. Can those older individual javaws.exe files be
> updated in some fashion (without installing the full
> older JRE) to prevent exploitation? Granted, we'd
> need to contact the vendors of the apps which
> installed those older versions to ensure no product
> functionality problems occur.
No, you can't update those. But do these apps you mention having their own older JREs use javaws.exe? Cuz most apps installing a JRE with itself is not running as a WebStart app, they run as a regular app, typically with javaw.exe, which doesn't have any of those security restrictions and can delete whatever files it wants to anyway.
> I hope I haven't confused the issues/terms too much -
> just trying to get a handle on what the Java Web
> Start does and how we can mitigate the vulnerability
> with those older file versions.
With the newer version installed as the default JRE for the system, you should not have a problem.
