Red Hat Bugzilla – Bug 859155
JDK: browser plugin allows changing SecurityManager for all applets
Last modified: 2014-02-28 16:02:38 EST
The Oracle and IBM Java SE browser plugin allows signed applets running with full privileges to replace SecurityManager. This change, however, is not limited to the current applet that performed the change, but also affects other applets. An attacker able to make a victim to run a signed applet that changes SecurityManager (the attacker does not need to have control over what this applet does, they only need to find one that the victim is likely to run and that installs more permissive SecurityManager) and later navigate the victim to a page that contains unsigned attacker-controlled applet could possibly use this flaw to have their unsigned applet code run with additional privileges.
This issue did not affect IcedTea-Web browser plugin, which does not allow applets to replace SecurityManager:
Oracle has classified this as security-in-depth fix. Java SE CPU April 2013 addresses this issue:
IBM JDKs plugin was also fixed in updates for Java SE CPU April 2013. Therefore, Oracle/Sun JDKs were fixed in 7u21 and 6u45, and IBM JDKs were fixed in 7 SR4-FP2 and 6 SR13-FP2.
Matching Red Hat Enterprise Linux errata are: