Privacy and Legal Notice

DOE-CIRC TECHNICAL BULLETIN

T-164: Sun Java Runtime Environment Aqua Look and Feel Privilege Escalation Vulnerability

[CVE-2009-1719]

June 18, 2009 15:00 GMT
PROBLEM: Apple Java CColourUIResource Pointer Dereference Code Execution Vulnerability.
PLATFORM: Affects Java 1.5 on Mac OS X v10.5 systems.
ABSTRACT: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Apple Java HotSpot. User interaction is required to exploit this vulnerability in that the target must visit a malicious page. The specific flaw exists in the undocumented apple.laf.CColourUIResource (long, int, int ,int, int) constructor. When passing a long integer value as the first argument, the value is interpreted as pointer to an Objective-C object. By constructing a special memory structure and passing the pointer to the first argument an attacker may execute arbitrary code.
LINKS:  
  DOE-CIRC BULLETIN: http://www.doecirc.energy.gov/bulletins/t-164.shtml
  OTHER LINKS: CVE-2009-1719
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1719
Apple
http://support.apple.com/kb/HT3632
Security Focus
http://www.securityfocus.com/bid/35381/info
Zero Day Initiative
http://www.zerodayinitiative.com/advisories/ZDI-09-043/
IMPACT ASSESSMENT: This risk is rated high. Visiting a web page containing a maliciously crafted Java applet may lead to arbitrary code execution with elevated privileges. 
[***** Start CVE-2009-1719 *****]
Discussion:
The Aqua Look and Feel for Java implementation in Java 1.5 on Mac OS X 10.5 allows remote attackers to execute arbitrary
code via a call to the undocumented apple.laf.CColourUIResource constructor with a crafted value in the first argument,
which is dereferenced as a pointer.

This issue affects JRE 1.5 running on Mac OS X 10.5.

Solution:
Apple has issued an update to correct this vulnerability. 

More details can be found at:
http://support.apple.com/kb/HT3632

Apple Mac OS X 10.5.7

Apple JavaForMacOSX10.5Update4.dmg

http://support.apple.com/downloads/DL848/en_US/JavaForMacOSX10.5Update 4.dmg
[***** End CVE-2009-1719 *****]
DOECIRC services are available to DOE, DOE Contractors, and the NIH. DOE-CIRC can be contacted at: 
    Voice:          866-941-2472
    E-mail:          doecirc@doecirc.energy.gov
    World Wide Web:  http://www.doecirc.energy.gov
UCRL-MI-119788