Sun Java Runtine Environment (JRE) Type1 Font Parsing Integer Signedness Vulnerability
10 Jul. 2009
Summary
Exploitation of an integer signedness vulnerability in Sun Microsystems Inc.'s Java JRE could allow an attacker to execute arbitrary code with the privileges of the current user<.
Vulnerable Systems:
* Sun Java JDK and JRE 6 Update 12 and prior
* Sun Java JDK and JRE 5.0 Update 17 and earlier
The vulnerability exists within the font parsing code in the JRE. As part of its font API, the JRE provides the ability to load a font from a remote URL.
The vulnerability occurs when parsing glyph description instructions in the font file. When parsing the glyph descriptions, a 16bit signed counter is used as the index to store the next glyph point value. This counter is compared to a 32bit value that represents the maximum size of the heap buffer. Under certain conditions, the 16bit counter will be interpreted as a negative value, which allows the attacker to store data before the allocated buffer.
Exploitation allows attackers to execute arbitrary code in the context of the currently logged-on user. To exploit this vulnerability, a targeted user must load a malicious Web page created by an attacker. An attacker typically accomplishes this via social engineering or injecting content into compromised, trusted sites.
