Java Plug-In JRE fails to notify when running applets with expired certificates
| javaplugin-jre-expired-certificate (7048) |  High Risk |
Description:
Sun Microsystems Java Plug-In could allow a remote attacker to execute malicious applets on a victim¿s computer, caused by the failure to notify the user once applets have been signed with expired certificates. A remote attacker can use this vulnerability to cause malicious applets to be executed on a victim¿s computer since the applet appears to be signed with a valid certificate.
Platforms Affected:
- Sun, Java Plug-In 1.4
- Sun, JRE 1.3.0
Remedy:
No remedy available as of November 29, 2008.
Consequences:
Gain Access
References:
- BugTraq Mailing List, Fri Aug 24 2001 - 17:58:58 CDT, Java Plugin 1.4 with JRE 1.3 -> Ignores certificates. at http://archives.neohapsis.com/archives/bugtraq/2001-08/0359.html.
- BID-3245: Java Plug-In 1.4/JRE 1.3 Expired Certificate Vulnerability
- CVE-2001-1008: Java Plugin 1.4 for JRE 1.3 executes signed applets even if the certificate is expired, which could allow remote attackers to conduct unauthorized activities via an applet that has been signed by an expired certificate.
Reported:
Aug 24, 2001
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
Copyright (c) 1994-2008 Internet Security Systems, Inc. All rights reserved worldwide.
For corrections or additions please email xforce@iss.net