Multiple vulnerabilities have been reported in Sun Java, which can be exploited by malicious users to cause a DoS (Denial of Service) and by malicious people to disclose potentially sensitive information, manipulate certain data, bypass certain security restrictions, and compromise a vulnerable system.

1) An error in the 2D component may allow execution of arbitrary code.

2) An error in the 2D component may allow execution of arbitrary code.

3) An integer overflow error in the "JPEGImageWriter.writeImage()" function when processing JPEG image dimensions of a subsample can be exploited to corrupt memory.

Successful exploitation may allow execution of arbitrary code.

4) An integer overflow error in the color profile parser when processing the ICC Profile Device Information Tag structure fails to properly allocate memory.

Successful exploitation may allow execution of arbitrary code.

5) An error in the 2D component may allow execution of arbitrary code.

6) An integer overflow error in the color profile parser when processing the ICC Profile Unicode Description Tag structure fails to properly allocate memory.

Successful exploitation may allow execution of arbitrary code.

7) An error in the CORBA component may allow execution of arbitrary code.

8) An error in the com.sun.jnlp.BasicServiceImpl class when retrieving a security policy can be exploited to remove sandbox restrictions.

Successful exploitation allows execution of arbitrary code.

9) An input validation error when parsing JNLP content tags when creating shortcut files from draggable applets can be exploited to create files with arbitrary Scriptable Shell Objects.

Successful exploitation may allow execution of arbitrary code but requires tricking a user into creating a shortcut to the applet.

10) An error in the JRE component may allow execution of arbitrary code.

11) An error in the Java Web Start component may allow execution of arbitrary code.

12) A boundary error in the New Java Plugin (JP2IEXP.dll) when copying the "docbase" applet parameter can be exploited to cause a stack-based buffer overflow.

Successful exploitation may allow execution of arbitrary code.

13) A signedness error in the "HeadspaceSoundbank.nGetName()" function when parsing BANK records can be exploited to cause a buffer overflow using memcpy() via a specially crafted SoundBank file.

Successful exploitation may allow execution of arbitrary code.

14) An error in the Sound component may allow execution of arbitrary code.

15) An error in the Swing component may allow execution of arbitrary code.

16) An error in the ActiveX plugin fails to properly initialize a window handle and may allow execution of arbitrary code.

17) An error in the Java Web Start component may allow execution of arbitrary code.

18) An error in the Deployment Toolkit component may allow execution of arbitrary code.

19) An error in the CORBA component can be exploited to disclose and manipulate certain data.

20) An error in the JSSE TLS/SSL component can be exploited to manipulate certain data.

For more information:
SA37291

21) A NULL-pointer dereference error in Kerberos GSS-API can be exploited to cause a DoS.

For more information:
SA39762

22) An error in the Networking component can be exploited to disclose and manipulate certain data.

23) An error in the Swing component can be exploited to disclose and manipulate certain data.

24) An error in the "addRequestProperty()" method can be exploited to inject new HTTP requests via the "Transfer-Encoding" header and bypass the Same Origin Policy (SOP).

25) An error in the Java Runtime Environment can be exploited by an untrusted applet to bypass the same origin policy and e.g. access cookies of other domains.

26) An error in the Networking component when handling multiple applets can be exploited to conduct DNS spoofing attacks and open arbitrary TCP ports on the local host.

27) An error in the JNDI component can be exploited to disclose certain data.

28) An error in the implementation of the "hashCode()" method within the Networking component can be exploited to disclose an IP address of the local network interface.

29) An error in the Packages.javax.naming package when performing DNS resolution can be exploited to disclose the IP address of a DNS server via error messages.

Solution
Apply updates.
Further details available to Secunia VIM customers

Provided and/or discovered by
3) An anonymous person, reported via ZDI.
4,6) Intevydis, reported via ZDI.
8) Matthias Kaiser, reported via ZDI.
12) Independently discovered by Stephen Fewer of Harmony Security, via ZDI and SkyLined, Google Inc.
16) Stephen Fewer of Harmony Security, reported via ZDI.
13) An anonymous person, reported via ZDI.
16) An anonymous person, reported via ZDI.
25) Roberto Suggi Liverani, Security-Assessment.com.
9,24-26,28,29) Stefano Di Paola, Minded Security.

The vendor also credits SkyLined, Google Inc.

It is currently unclear who reported the remaining vulnerabilities as the Oracle Critical Patch Update for October 2010 only provides a bundled list of credits. This section will be updated when/if the original reporter provides more information.

Changelog
Further details available to Secunia VIM customers

Original Advisory
Oracle:
http://www.oracle.com/technetwork/topics/security/javacpuoct2010-176258.html

ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-10-202/
http://www.zerodayinitiative.com/advisories/ZDI-10-203/
http://www.zerodayinitiative.com/advisories/ZDI-10-204/
http://www.zerodayinitiative.com/advisories/ZDI-10-205/
http://www.zerodayinitiative.com/advisories/ZDI-10-206/
http://www.zerodayinitiative.com/advisories/ZDI-10-207/
http://www.zerodayinitiative.com/advisories/ZDI-10-208/

SkyLined:
http://code.google.com/p/skylined/issues/detail?id=18
http://code.google.com/p/skylined/issues/detail?id=23

Security-Assessment.com:
http://www.security-assessment.com/files/advisories/Oracle_JRE_java_net_urlconnection_SOP_Bypass.pdf

Minded Security:
http://blog.mindedsecurity.com/2010/10/java-jnlp-applet-user-assisted.html
http://blog.mindedsecurity.com/2010/10/dns-rebinding-on-java-applets.html
http://blog.mindedsecurity.com/2010/10/java-applet-same-ip-host-access.html
http://blog.mindedsecurity.com/2010/10/http-request-splitting-and-header-abuse.html
http://blog.mindedsecurity.com/2010/10/get-internal-network-information-with.html

Other references
Further details available to Secunia VIM customers

Technical Analysis
Further details available to Secunia VIM customers

Deep Links
Links available to Secunia VIM customers