学校首页 安全首页 病毒报告 软件下载 安全漏洞 关于我们

微软安全公告 2002年013号

2002年3月7日 微软发布今年第13号安全公告

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-013.asp
多个厂商Java虚拟机会话劫持漏洞
发布日期: 2002-3-5
更新日期: 2002-3-7

受影响的系统:
Sun JDK (Reference Release) 1.1.8_007
Sun JDK (Reference Release) 1.1.8_003
Sun JDK (Solaris Production Release) 1.1.8_13
Sun JDK (Windows Production Release) 1.1.8_007
Sun JDK (Windows Production Release) 1.1.8_005
Sun JDK (Windows Production Release) 1.1.8_002
Sun JRE (Linux Production Release) 1.3.0_02
Sun JRE (Linux Production Release) 1.2.2_010
Sun JRE (Reference Release) 1.2.2_010
Sun JRE (Reference Release) 1.1.8_007
Sun JRE (Solaris Production Release) 1.3.0_02
Sun JRE (Solaris Production Release) 1.2.2_10
Sun JRE (Solaris Production Release) 1.1.8_13
Sun JRE (Windows Production Release) 1.3.0_02
Sun JRE (Windows Production Release) 1.2.2_010
Sun JRE (Windows Production Release) 1.1.8_007
Sun SDK (Linux Production Release) 1.3.0_02
Sun SDK (Linux Production Release) 1.2.2_010
Sun SDK (Reference Release) 1.2.2_010
Sun SDK (Solaris Production Release) 1.3.0_02
Sun SDK (Solaris Production Release) 1.2.2_10
Sun SDK (Windows Production Release) 1.3.0_02
Sun SDK (Windows Production Release) 1.2.2_010
Sun SDK (Windows Production Release) 1.2.2_007
Microsoft Virtual Machine build 3802
   - Microsoft Windows XP Professional
   - Microsoft Windows XP Home
   - Microsoft Windows XP
   - Microsoft Windows NT 4.0
   - Microsoft Windows 98 SE
   - Microsoft Windows 98
   - Microsoft Windows 95
   - Microsoft Windows 2000

不受影响系统:

Sun JDK (Reference Release) 1.1.8_009
Sun JDK (Solaris Production Release) 1.1.8_15
Sun JDK (Windows Production Release) 1.1.8_009
Sun JRE (Linux Production Release) 1.4
Sun JRE (Linux Production Release) 1.3.1_02
Sun JRE (Linux Production Release) 1.2.2_011
Sun JRE (Reference Release) 1.2.2_011
Sun JRE (Reference Release) 1.1.8_009
Sun JRE (Solaris Production Release) 1.4
Sun JRE (Solaris Production Release) 1.3.1_02
Sun JRE (Solaris Production Release) 1.2.2_11
Sun JRE (Solaris Production Release) 1.1.8_15
Sun JRE (Windows Production Release) 1.4
Sun JRE (Windows Production Release) 1.3.1_02
Sun JRE (Windows Production Release) 1.2.2_011
Sun JRE (Windows Production Release) 1.1.8_009
Sun SDK (Linux Production Release) 1.4
Sun SDK (Linux Production Release) 1.3.1_02
Sun SDK (Linux Production Release) 1.2.2_011
Sun SDK (Reference Release) 1.2.2_011
Sun SDK (Solaris Production Release) 1.4
Sun SDK (Solaris Production Release) 1.3.1_02
Sun SDK (Solaris Production Release) 1.2.2_11
Sun SDK (Windows Production Release) 1.4
Sun SDK (Windows Production Release) 1.3.1_02
Sun SDK (Windows Production Release) 1.2.2_011
Microsoft Virtual Machine build 3805
   - Microsoft Windows XP Professional
   - Microsoft Windows XP Home
   - Microsoft Windows XP
   - Microsoft Windows NT 4.0
   - Microsoft Windows 98 SE
   - Microsoft Windows 98
   - Microsoft Windows 95
   - Microsoft Windows 2000

描述:


CVE(CAN) ID: CAN-2002-0058
一些厂商(包括Sun、Microsoft)都实现了Java虚拟机,它可以允许一些来自不可信资源的代码(例如Java applet)在虚拟机中安全的执行。
一些厂商的虚拟机实现上存在漏洞,当用户通过HTTP代理进行网络访问时,恶意的Java applet可以劫持用户的会话。
在用户用IE或者其他Web浏览器通过代理服务器进行浏览的情况下,网站上恶意的Java脚本可能利用这个漏洞,在不知不觉中把用户通过浏览器浏览的网络流量转发到攻击者控制的主机上。随后攻击者就能发送恶意回复,使之看起来象是来自原目的地,也可以丢弃对话信息,导致拒绝服务。另外,攻击者还能捕捉和保存用户的对话信息。这样他就能执行重播攻击或搜寻诸如用户名和口令等机密信息。

目前已知Microsoft和Sun的虚拟机实现存在此安全漏洞。Netscape 6.1, 6.0.1, 和6.0由于带有有问题的Java虚拟机,因此受到此问题影响。Microsoft VM build 3802以及以前版本也受到此问题影响。
<*来源:Microsoft Security Team (secure@microsoft.com)
 链接:http://www.microsoft.com/technet/security/bulletin/MS02-013.asp    http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/216&type=0&nav=sec.sba *>

建议临时解决方法:

如果您不能立刻安装补丁或者升级,NSFOCUS建议您采取以下措施以降低威胁:
* 在IE里禁止Microsoft VM的运行:
在 工具->Internet选项->安全->Internet->自定义级别->Microsoft VM 设置禁用。

厂商补丁:

Microsoft
--------- Microsoft已经为此发布了一个安全公告(MS02-013)以及相应补丁:
MS02-013:Java Applet Can Redirect Browser Traffic
链接:http://www.microsoft.com/technet/security/bulletin/MS02-013.asp

补丁下载


您应当升级到Microsoft VM bulid 3805或者更新版本:
http://www.microsoft.com/java/vm/dl_vm40.htm
Sun
--- Sun已经为此发布了一个安全公告(Sun-00216)以及相应补丁:
Sun-00216:HttpURLConnection
链接:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/216&type=0&nav=sec.sba

补丁下载

   Windows Production Releases
   SDK and JRE 1.4 http://java.sun.com/j2se/1.4/
   SDK and JRE 1.3.1_02 http://java.sun.com/j2se/1.3/
   SDK and JRE 1.2.2_011 http://java.sun.com/j2se/1.2/
   JDK and JRE 1.1.8_009 http://java.sun.com/products/jdk/1.1/download-jdk-windows.html   
   Solaris OE Reference Releases
   SDK and JRE 1.2.2_011 http://java.sun.com/j2se/1.2/
   JDK and JRE 1.1.8_009 http://java.sun.com/products/jdk/1.1/download-jdk-solaris.html

   Solaris OE Production Releases
   SDK and JRE 1.4 http://java.sun.com/j2se/1.4/
   SDK and JRE 1.3.1_02 http://java.sun.com/j2se/1.3/
   SDK and JRE 1.2.2_11 http://java.sun.com/j2se/1.2/
   JDK and JRE 1.1.8_15 http://java.sun.com/products/jdk/1.1/download-jdk-solaris.html

   Linux Production Releases
   SDK and JRE 1.4 http://java.sun.com/j2se/1.4/
   SDK and JRE 1.3.1_02 http://java.sun.com/j2se/1.3/
   SDK and JRE 1.2.2_011 http://java.sun.com/j2se/1.2/

 

网络安全 版权所有 Copyright ©2002 and All Rights Reserved JSTVU