Oracle Java Runtime TTF BO (March 9, 2012)


The Java software platform owned by Oracle is a system for developing cross-platform applications. Java is distributed in the form of various tools such as the Java Runtime Environment (JRE) and the Java Development Kit (JDK). The JRE contains the Java Virtual Machine (JVM), libraries and other components whereas the JDK is a toolkit for developers. The common graphics library packages of Java are the Abstract Windowing Toolkit (AWT) and Swing packages.

Java is most commonly seen on the web in the form of the Java Applet. It is an application delivered to a client web browser in the form of Java bytecode. Once downloaded, it is executed by the web browser using a Java Virtual Machine (JVM). Java applets can be used, among other things, to parse various graphics files located on a remote host. One type of a graphics file is the TrueType Font (TTF) format. TrueType is an outline font standard originally developed by Apple Computer, and has been used on multiple platforms. TrueType fonts are scalable which means the glyphs can be displayed at any resolution and any point size. A TrueType Font file consists of tables preceded by a table directory. The table directory consists of records describing each table in the font and has the following format:

 Offset   Type      Description                  -------- --------- -------------------- 0x0000   uint32    tag 0x0004   uint32    table checksum 0x0008   uint32    table offset 0x000c   uint32    table length 

The table directory is followed by table data at their respective offsets. The Font Program table holds instructions used to manipulate fonts. These instructions can be used to create functions and instruction definitions. The instructions are used to manage the font at different sizes to ensure that it remains true to the font’s original design. An opcode specifically used to allow older information to work with fonts using later versions of the TrueType interpreter.

A vulnerability exists in Oracle Java due to a heap buffer overflow when processing certain instruction opcodes during TrueType font processing. Internally, a heap buffer is allocated based on a literal value found in the TTF file. This buffer is used to hold the instructions defined by an instruction block. However, the vulnerable code does not check that the actual number of opcodes is the same as defined by the supplied value. If the number of opcodes is larger than the defined count value, then a heap buffer overflow will occur during processing of these opcodes.

Remote attackers could exploit this vulnerability by persuading target users to visit a web site that links to a malicious Java applet. Successful exploitation would cause memory corruption that could potentially allow for arbitrary code execution in the security context of the logged in user.

SonicWALL has released an IPS signature to address this vulnerability. The released signature covers a known exploit. The following signature was released:

  • 7469 – Oracle JRE TTF Handling Heap Buffer Overflow

The vulnerability has been assigned the ID CVE-2012-0499 by mitre. The vendor has released an advisory regarding this issue.

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.