Multiple vulnerabilities have been reported in Oracle Java SE, which can be exploited by malicious people to disclose potentially sensitive information, manipulate certain data, cause a DoS (Denial of Service), and compromise a vulnerable system.

1) A type confusion error when handling the "surfaceData" object can be exploited to cause a heap-based buffer overflow.

2) A signedness error when processing the "readMabCurveData" tag descriptor within ICC color profiles can be exploited to incorrectly allocate memory and cause memory corruption.

3) An error when processing the IDEF opcode (0x89) during True Type font parsing can be exploited to cause a heap-based buffer overflow via a specially crafted font file.

4) Certain input passed via JNLP files is not properly sanitised before being used by Java Web Start and can be exploited to inject and execute arbitrary commands.

5) An error in the JavaFX component can be exploited to install an Oracle signed JAR file and invoke certain methods of a trusted class with arbitrary arguments.

6) An error in the Install component may allow execution of arbitrary code in a client deployment via the update mechanism.

This may be related to:
SA47134

7) An error in the handling of AtomicReferenceArray due to its use of the Unsafe class to store references within the array may result in type safety violation and allow to escape the JRE sandbox.

8) An error in the I18n component can be exploited to disclose and manipulate certain data and to cause a DoS in a client deployment via e.g. untrusted Web Start applications or untrusted applets.

9) An error in the Serialization component can be exploited to disclose and manipulate certain data and to cause a DoS in a client deployment via e.g. untrusted Web Start applications or untrusted applets.

10) An error in the AWT component can be exploited to disclose certain data and cause a DoS in a client deployment via e.g. untrusted Web Start applications or untrusted applets.

11) An error in the Sound component can be exploited to disclose certain data and cause a DoS in a client deployment via e.g. untrusted Web Start applications or untrusted applets.

12) An error in the Lightweight HTTP Server can be exploited to cause a DoS.

For more information:
SA47819

13) An off-by-one error in the "countCENHeaders()" function (zip_util.c of the java.util.zip) when processing archive files can be exploited to cause a recursive loop and crash JVM via a specially crafted ZIP file.

14) An error in the CORBA component can be exploited to manipulate certain data in a client deployment via e.g. untrusted Web Start applications or untrusted applets.

15) An input sanitisation error in the Java Web Start component when handling certain parameters within JNLP files can be exploited to inject arbitrary command line arguments via e.g. a specially crafted "java-vm-args" parameter.

NOTE: This vulnerability may be related to vulnerability #4.

16) An error in the use of reflection when a class within the NEWT library was used as the main-class in a JNLP file can be exploited to call the main method of other trusted classes with arbitrary arguments.

17) An error in the Java GlueGen library can be exploited by a specially crafted Java applet to load arbitrary DLL files into the JRE process by calling "openLibraryGlobal".

18) An error in the Java OpenGL (JOGL) library can be exploited by a specially crafted Java applet to load arbitrary DLL files into the JRE process by calling "LoadLibraryA".

19) An error in the Java OpenAL (JOAL) library can be exploited by a specially crafted Java applet to call "dispatch_alDeleteBuffers1" with a user-controlled integer value being used as a function pointer.

Solution
Apply patches (please see the vendor's advisory for more information).

Provided and/or discovered by
1) An anonymous person via iDefense.
2) Alin Rad Pop (binaryproof) via ZDI.
3) Peter Vreugdenhil, TippingPoint DVLabs.
4) TELUS Security Labs.
5, 15-19) Chris Ries via ZDI.
7) Jeroen Frijters.
13) Timo Warns, PRESENSE Technologies via PRE-CERT.
15) An anonymous person via ZDI.

It is currently unclear who reported the remaining vulnerabilities as the Oracle Java SE Critical Patch Update for February 2012 only provides a bundled list of credits. This section will be updated when/if the original reporter provides more information.

Changelog
Further details available to Secunia VIM customers

Original Advisory
Oracle:
http://www.oracle.com/technetwork/topics/security/javacpufeb2012-366318.html

TELUS:
http://telussecuritylabs.com/threats/show/TSL20120214-01

PRE-CERT:
http://www.pre-cert.de/advisories/PRE-SA-2012-01.txt

iDefense:
http://www.verisigninc.com/en_US/products-and-services/network-intelligence-availability/idefense/public-vulnerability-reports/articles/index.xhtml?id=970

ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-12-032/
http://www.zerodayinitiative.com/advisories/ZDI-12-037/
http://www.zerodayinitiative.com/advisories/ZDI-12-038/
http://www.zerodayinitiative.com/advisories/ZDI-12-039/
http://www.zerodayinitiative.com/advisories/ZDI-12-045/
http://www.zerodayinitiative.com/advisories/ZDI-12-060/
http://www.zerodayinitiative.com/advisories/ZDI-12-081/
http://www.zerodayinitiative.com/advisories/ZDI-12-082/
http://www.zerodayinitiative.com/advisories/ZDI-12-083/

TippingPoint DVLabs:
http://dvlabs.tippingpoint.com/advisory/TPTI-12-01

Jeroen Frijters:
http://weblog.ikvm.net/PermaLink.aspx?guid=cd48169a-9405-4f63-9087-798c4a1866d3

Other references
Further details available to Secunia VIM customers

Technical Analysis
Further details available to Secunia VIM customers

Deep Links
Links available to Secunia VIM customers