The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

Sun JDK and JRE ICC and BMP Parser Vulnerabilities

Secunia ID



CVE-2007-2788, CVE-2007-2789, CVE-2007-3004, CVE-2007-3005

Release Date

16 May 2007

Last Change

23 Oct 2007


Highly Critical

Solution Status

Vendor Patch


Sun Java JDK 1.5.x
Sun Java JRE 1.3.x
Sun Java JRE 1.4.x
Sun Java JRE 1.5.x / 5.x
Sun Java JRE 1.6.x / 6.x
Sun Java SDK 1.3.x
Sun Java SDK 1.4.x


From remote

DoS (Denial of Service)

This includes vulnerabilities ranging from excessive resource consumption (e.g. causing a system to use a lot of memory) to crashing an application or an entire system.

System access

This covers vulnerabilities where malicious people are able to gain system access and execute arbitrary code with the privileges of a local user.


Chris Evans has reported some vulnerabilities in Sun JDK and JRE, which potentially can be exploited by malicious people to cause a DoS (Denial of Service) or compromise a vulnerable system.

1) An integer overflow error exists within the parser for embedded ICC profiles of JPG and BMP images. This can be exploited to crash the JVM and potentially allow the execution of arbitrary code by e.g. tricking an application using the JDK or JRE to process a malicious image file.

2) The BMP file parser tries to open local files ("/dev/tty") while parsing BMP images. This can be exploited to cause a DoS by e.g. tricking an application using the JDK or JRE to process a malicious BMP image.

Successful exploitation of this vulnerability may require the JVM to be run on a Linux- or UNIX-like operating system.


Update to JDK and JRE 6 Update 1 or later, JDK and JRE 5.0 Update 11 or later, SDK and JRE 1.4.2_15 or later, and SDK and JRE 1.3.1_21 or later. See vendor advisory for further details.

Reported by

Chris Evans, Google

Original Advisory


Chris Evans: