-
Bug
-
Resolution: Fixed
-
P4
-
1.4.2
-
b96
-
x86
-
windows_xp
Name: gm110360 Date: 03/29/2004
FULL PRODUCT VERSION :
not relevant
ADDITIONAL OS VERSION INFORMATION :
all Windows versions
A DESCRIPTION OF THE PROBLEM :
If webstarts auto-install-mechanism (of JRE) has to be used, the user (whether developer or customer) can only install an insecure JRE with security-exploit.
Sun withholds the safer and fixed versions of JRE up to date 2003-11-21 from usage in this context.
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
1. Create an auto-install page for your WebStart-Application (up to date: 2003-11-21)
2. Look on http://java.sun.com/j2se/1.4.2/docs/guide/deployment/autodl/autodl-files.html
to find out that the most recent JREs that can be installed as Java1.4.1 and Java1.3.1 respectively are: 1.4.1_03 and 1.3.1_08 respectively.
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
I would have expected to find JREs 1.3.1_09 and 1.4.1_04 or later versions for autodl-files, because earlier versions have a serious vulnerability described here:
Sun Alert ID: 57221
Synopsis: A Vulnerability in JRE May Allow an Untrusted Applet to Escalate Privileges
See http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F57221 for more details.
ACTUAL -
Only the vulnerable(!) JREs as described in Suns Alert Notification 57221 can be autoinstalled.
The safe JREs (fixed versions) cannot be installed.
REPRODUCIBILITY :
This bug can be reproduced always.
(Incident Review ID: 227106)
======================================================================
FULL PRODUCT VERSION :
not relevant
ADDITIONAL OS VERSION INFORMATION :
all Windows versions
A DESCRIPTION OF THE PROBLEM :
If webstarts auto-install-mechanism (of JRE) has to be used, the user (whether developer or customer) can only install an insecure JRE with security-exploit.
Sun withholds the safer and fixed versions of JRE up to date 2003-11-21 from usage in this context.
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
1. Create an auto-install page for your WebStart-Application (up to date: 2003-11-21)
2. Look on http://java.sun.com/j2se/1.4.2/docs/guide/deployment/autodl/autodl-files.html
to find out that the most recent JREs that can be installed as Java1.4.1 and Java1.3.1 respectively are: 1.4.1_03 and 1.3.1_08 respectively.
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
I would have expected to find JREs 1.3.1_09 and 1.4.1_04 or later versions for autodl-files, because earlier versions have a serious vulnerability described here:
Sun Alert ID: 57221
Synopsis: A Vulnerability in JRE May Allow an Untrusted Applet to Escalate Privileges
See http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F57221 for more details.
ACTUAL -
Only the vulnerable(!) JREs as described in Suns Alert Notification 57221 can be autoinstalled.
The safe JREs (fixed versions) cannot be installed.
REPRODUCIBILITY :
This bug can be reproduced always.
(Incident Review ID: 227106)
======================================================================