Oracle Java Heap Buffer Overflow (Nov 1, 2012)


Java is a programming language originally developed by James Gosling at Sun Microsystems (which has since merged into Oracle Corporation) and released in 1995 as a core component of Sun Microsystems’ Java platform. Java applications are typically compiled to bytecode (class file) that can run on any Java virtual machine (JVM) regardless of computer architecture. Java is a general-purpose, concurrent, class-based, object-oriented language that is specifically designed to have as few implementation dependencies as possible. Java is distributed in the form of various tools such as the Java Runtime Environment (JRE) and the Java Development Kit (JDK).

The JRE is a software platform that contains the Java Virtual Machine (JVM), Java libraries and other various components. End-users commonly use a Java Runtime Environment (JRE) installed on their own machine for standalone Java applications, or in a Web browser for Java applets. Standardized libraries provide a generic way to access host-specific features such as graphics, threading, and networking. The JDK is primarily a toolkit for developers and consists of the Java loader, compiler, libraries, debugger and several other tools. These libraries enable Java to parse various graphics and media content. The common graphics library packages of Java are the Abstract Windowing Toolkit (AWT) and Swing packages.

TrueType is an outline font standard developed by Apple Computer in the late 1980s as a competitor to Adobe’s Type 1 fonts used in PostScript. It has become the most common format for fonts on both the Mac OS and Microsoft Windows operating systems. JRE and JDK are able to parse various graphics files, TrueType font files.

A TrueType Font file consists of a number of tables. There is a directory of tables that must appear at the start of the file. The file may contain only one table of each type, and the type is indicated by a case-sensitive four letter tag. Each table and the whole font have checksums. The tables can appear in any order. The font directory consists of two parts: the offset subtable and the table directory. The offset subtable provides the number of tables in the font and their offset information, and has the following structure:

 Offset		Size (bytes)		Name ------------------------------------------------------------------- 0x00			4		Version 0x04			2		numTables 0x06			2		searchRange (maximum power of 2 <= numTables)*16 0x08			2		entrySelector log2(maximum power of 2 <= numTables) 0x0a			2		rangeShift 

A heap memory buffer overflow vulnerability exists in Oracle Java's handling of true type fonts. A remote unauthenticated attacker can exploit this vulnerability to inject and execute arbitrary code in the security context of the logged in user.

Dell SoincWALL UTM team has researched the vulnerability and released the following signatures to cover the exploit.

  • GAV:Malformed.ttf.TL.2

The vulnerability was not assigned a Common Vulnerabilities and Exposures (CVE) identifier.

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.