Java Runtime CMM readMabCurveData Buffer Overflow

Added: 10/04/2010
CVE: CVE-2010-0838
BID: 39069
OSVDB: 63500

Background

Oracle Java SE and Java for Business are development platforms for developing and deploying Java applications. They include the Java SE Development Kit (JDK) and the Java Runtime Environment (JRE). The JRE provides the minimum requirements for executing a Java application (e.g., an applet) and consists of the Java Virtual Machine (JVM), core classes and supporting files. One of the libraries included in the JVM is the Color Management Module (CMM), which controls the conversion among the color representations used by various devices by processing International Color Consortium (ICC) profiles.

Problem

Oracle Java SE and Java for Business 6 Update 18 and prior, and 5.0 Update 23 and prior are vulnerable to a buffer overflow in the CMM readMabCurveData function. A remote attacker could gain system access if a user opens a Java applet that imports a malicious ICC profile that specifies an invalid count for curveType objects passed to the readMabCurveData function.

Resolution

Apply the patches detailed in the Oracle Java SE and Java for Business Critical Patch Update Advisory for March 2010.

References

http://www.zerodayinitiative.com/advisories/ZDI-10-061/

Limitations

Exploit works on Oracle Java SE and Java for Business containing Oracle JRE 6 Update 18.

The user must open the exploit in Internet Explorer 6, 7, or 8 or Mozilla Firefox 2.x or 3.x.

Platforms

Windows

Back to exploit index