-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

       National Cyber Alert System
   
 Technical Cyber Security Alert TA08-193A


Sun Java Updates for Multiple Vulnerabilities

   Original release date: July 11, 2008
   Last revised:
   Source: US-CERT

Systems Affected

   Sun Java Runtime Environment versions
     * JDK and JRE 6 Update 6 and earlier
     * JDK and JRE 5.0 Update 16 and earlier
     * SDK and JRE 1.4.2_17 and earlier
     * SDK and JRE 1.3.1_22 and earlier

Overview

   Sun has released alerts to address multiple vulnerabilities affecting the
   Sun Java Runtime Environment. The most severe of these vulnerabilities could
   allow a remote attacker to execute arbitrary code.

I. Description

   The Sun Java Runtime Environment (JRE) allows users to run Java applications
   in a browser or as standalone programs. Sun has released updates to the Java
   Runtime Environment software to address multiple vulnerabilities. Further
   details  about  these  vulnerabilities  are  available  in the US-CERT
   Vulnerability Notes Database.

   Sun released the following alerts to address these issues:
     * 238628 Security Vulnerabilities in the Java Runtime Environment related
       to the processing of XML Data
     * 238666 A Security Vulnerability with the processing of fonts in the Java
       Runtime Environment may allow Elevation of Privileges
     * 238687  Security  Vulnerabilities  in the Java Runtime Environment
       Scripting Language Support
     * 238905 Multiple Security Vulnerabilities in Java Web Start may allow
       Privileges to be Elevated
     * 238965 Security Vulnerability in Java Management Extensions (JMX)
     * 238966 Security Vulnerability in JDK/JRE Secure Static Versioning
     * 238967 Security Vulnerability in the Java Runtime Environment Virtual
       Machine  may  allow  an untrusted Application or Applet to Elevate
       Privileges
     * 238968 Security Vulnerabilities in the Java Runtime Environment may
       allow Same Origin Policy to be Bypassed

II. Impact

   The  impacts  of  these vulnerabilities vary. The most severe of these
   vulnerabilities allows a remote attacker to execute arbitrary code.

III. Solution

Apply an update from Sun

   These issues are addressed in the following versions of the Sun Java Runtime
   environment:
     * JDK and JRE 6 Update 7
     * JDK and JRE 5.0 Update 16
     * SDK and JRE 1.4.2_18
     * SDK and JRE 1.3.1_23

   If  you  install the latest version of Java, older versions may remain
   installed on your computer. If you do not need these older versions, you can
   remove them by following Sun's instructions.

Disable Java

   Disable Java in your web browser, as described in the Securing Your Web
   Browser document. While this does not fix the underlying vulnerabilities, it
   does block a common attack vector.

IV. References

 * Securing Your Web Browser -
   <http://www.us-cert.gov/reading_room/securing_browser/>

 * Sun Alert 238628 -
   <http://sunsolve.sun.com/search/document.do?assetkey=1-66-238628-1>
  
 * Sun Alert 238666 -
   <http://sunsolve.sun.com/search/document.do?assetkey=1-66-238666-1>

 * Sun Alert 238687 -
   <http://sunsolve.sun.com/search/document.do?assetkey=1-66-238687-1>

 * Sun Alert 238905 -
    <http://sunsolve.sun.com/search/document.do?assetkey=1-66-238905-1>
     
 * Sun Alert 238965 -
   <http://sunsolve.sun.com/search/document.do?assetkey=1-66-238965-1>
 
 * Sun Alert 238966 -
   <http://sunsolve.sun.com/search/document.do?assetkey=1-66-238966-1>

 * Sun Alert 238967 -
   <http://sunsolve.sun.com/search/document.do?assetkey=1-66-238967-1>

 * Sun Alert 238968 -
   <http://sunsolve.sun.com/search/document.do?assetkey=1-66-238968-1>
  
 * Java SE Technologies at a Glance -
   <http://java.sun.com/javase/technologies/>
 
 * Java SE Security -
   <http://java.sun.com/javase/technologies/security/index.jsp>

 * Can I remove older versions of the JRE after installing a newer version? - 
   <http://www.java.com/en/download/faq/5000070400.xml>
   

 ____________________________________________________________________

   The most recent version of this document can be found at:

     <http://www.us-cert.gov/cas/techalerts/TA08-193A.html>
 ____________________________________________________________________

   Feedback can be directed to US-CERT Technical Staff. Please send
   email to <cert@cert.org> with "TA08-193A Feedback VU#827003" in the
   subject.
 ____________________________________________________________________

   For instructions on subscribing to or unsubscribing from this
   mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
 ____________________________________________________________________

   Produced 2008 by US-CERT, a government organization.

   Terms of use:

     <http://www.us-cert.gov/legal.html>
 ____________________________________________________________________


   Revision History

   July 11, 2008: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iQEVAwUBSHe8kHIHljM+H4irAQLE2ggAnbYzXhebOasmhDAHRsiK4hLmXc78gLJf
jCdRSEeOre7Rsafi4xpTHzXlunKbmEGaCyMKx43FZ877GoVn88r8sqrvI3kfy8GY
TsOFFHmpiVU4KRN60dHMqGZ4J++cTXU65Fykd1mRgDc5/WMLnhrhXxwewdpgSvwt
phtrKcE8cmzu/z/Y7UADv5mqmzBg0maqcf1NIOHkP1lqPd2R/RaXk+nOF/GrymVp
Hm8kXE1PbU8QjD2KEcydLFqzE8DkwWqmEB+ETVs3lDJPqNf5pVQ9uAzEMsszmjq6
eA/XLJ+iQ5ydZeEjVanuxfpcaF0JnJQxA9OSGlevHzkx3+NAw3+VTw==
=aNzi
-----END PGP SIGNATURE-----