Secunia Logo Secunia CSI integrated with Microsoft WSUS for 3rd Party Patch Management 
 Vulnerability InformationVulnerability ScanningCommunityBlogCorporate InformationOnline ShopCustomer Login  
 Online (OSI)Personal (PSI)Corporate (CSI)  
Home > Vulnerability Scanning > Online (OSI)
Online (OSI)
Scan Now
Programs Covered
Reminder Service
Tell a Friend
System Requirements
Privacy
FAQ


Secunia PSI WorldMap 		 
Security Notice (Secunia OSI)

Introduction
Secunia has updated the Secunia Online Software Inspector (OSI).

The updated Secunia OSI works around a security related design problem in Sun Java and activates additional security features in Sun Java.

Previous users of Secunia OSI only need to run the Secunia OSI to secure their systems against this issue. New users are not affected and do not need to take any actions.

Other Secunia solutions do not use Sun Java and are therefore not affected.

Technical Description
A previous version of the Secunia OSI is affected by a security related design problem in Sun Java, which allows malicious people to manipulate the signed JAR file and allows compromising a system that trusts the certificate used to sign the old version.

Technical Solution
Run the Secunia OSI. It will automatically configure Sun Java to prevent the old OSI applet from running (by enabling the certificate revocation checks described below).

Alternatively, you may remove the trust relationship to the old Secunia certificate and / or manually enable the following Sun Java security settings:
"Check publisher certificate for revocation"
"Enable online certificate validation"

Technical Background
The problem in Sun Java, which affects the Secunia OSI and other signed applets, will be presented at a security conference on 16/10/2008. To secure Secunia OSI users, Secunia has published this update and taken the below described measures to protect the Secunia OSI users until a proper and permanent fix is implemented in Sun Java.

Secunia has worked around the design problem in Sun Java in the updated OSI applet, revoked the old certificate, and signed the updated applet with a new certificate.

Sun Java does not offer any means to "kill" old applets like e.g. the kill-bit for ActiveX controls. Thus, it has been necessary to revoke the certificate used to sign the old applet.

However, certificate revocation is disabled by default in Sun Java. It is therefore necessary to either manually remove the trust relation to the old certificate or run the Secunia OSI, which enables checking of Certificate Revocation Lists (CRL) in Sun Java.

Sun has informed Secunia that they are working on a "kill list mechanism".

You can read more about these insecure default CRL settings in Sun Java on the CERT/CC blog.


Contact | Terms & Conditions and Copyright | Report Vulnerability | Press | Jobs (open positions) | About Secunia
Copyright Secunia 2002-2010