Secunia Research: Sun Java Plug-In Predictable File Location Weakness

======================================================================

                     Secunia Research 09/02/2005

       - Sun Java Plug-In Predictable File Location Weakness -

======================================================================
Table of Contents

Affected Software....................................................1
Severity.............................................................2
Description of Vulnerability.........................................3
Solution.............................................................4
Time Table...........................................................5
Credits..............................................................6
About Secunia........................................................7
Verification.........................................................8

======================================================================
1) Affected Software

Sun Java JRE / JDK 1.5.0

Other versions may also be affected.

======================================================================
2) Severity

Rating: Not critical
Impact: Unknown
Where:  From remote

======================================================================
3) Description of Vulnerability

Secunia Research has discovered a weakness in Sun Java Plugin-In, 
allowing malicious websites to write arbitrary content to a file with 
a predictable name.

The problem is that the plugin creates temporary files for class files 
using a file name which becomes predictable when referenced using the 
old 8dot3 file schema (FAT16/DOS support).

The temporary file creation in itself is not a vulnerability and 
should not pose any risk to the system. However, combined with 
certain Microsoft Internet Explorer functionality and 
vulnerabilities this can be exploited to compromise a vulnerable 
system.

The weakness has been confirmed in version 1.5.0_01. Other versions 
may also be affected.

======================================================================
4) Solution

Change the default directory for Temporary Internet Files 
(this may affect functionality):
Java Control Panel -> Settings... --> Location

======================================================================
5) Time Table

06/07/2004 - Weakness discovered.
06/07/2004 - Vendor notified.
08/07/2004 - Vendor response.
10/11/2004 - Vendor confirms the weakness.
09/02/2005 - Public disclosure.

======================================================================
6) Credits

Discovered by Andreas Sandblad, Secunia Research.

======================================================================
7) About Secunia

Secunia collects, validates, assesses, and writes advisories regarding
all the latest software vulnerabilities disclosed to the public. These
advisories are gathered in a publicly available database at the
Secunia web site:

http://secunia.com/

Secunia offers services to our customers enabling them to receive all
relevant vulnerability information to their specific system
configuration.

Secunia offers a FREE mailing list called Secunia Security Advisories:

http://secunia.com/secunia_security_advisories/

======================================================================
8) Verification

Please verify this advisory by visiting the Secunia web site:
http://secunia.com/secunia_research/2004-7/advisory/

======================================================================