Zero day Java flaw opens up all users to attack

Powered by SC Magazine
 

Oracle's view is that it's no big deal.

Security researchers have warned of a flaw in Java that could allow malware writers to inject code onto user's machines.

The flaw is in the Java Web Start system built for developers with every version since Java 6 Update 10. The code contains a NPAPI plugin and ActiveX control called "Java Deployment Toolkit" which doesn't check the full parameters of URLs.

"The toolkit provides only minimal validation of the URL parameter, allowing us to pass arbitrary parameters to the javaws [Java Web Start] utility, which provides enough functionality via command line arguments to allow this error to be exploited," Tavis Ormandy wrote on the Full Disclosure mailing list.

"The simplicity with which this error can be discovered has convinced me that releasing this document is in the best interest of everyone except the vendor."

Ormandy said that the flaw opened up all Windows users of Java to attack. He published his findings because Oracle considered the bug not important enough to break its quarterly patching schedule.

“Sun has been informed about this vulnerability, however, they informed me they do not consider this vulnerability to be of high enough priority to break their quarterly patch cycle,” he posted.

“For various reasons, I explained that I did did not agree, and intended to publish advice to temporarily disable the affected control until a solution is available.”

Copyright ©v3.co.uk


Zero day Java flaw opens up all users to attack
Tags
 
 
 
Top Stories
Toll Group to go Google
Poaches Woolworths project manager.
 
How News Corp's CIO tackled skills in his race to the cloud
What to do when your team’s talents are no longer needed.
 
Photos: How Thodey transformed Telstra
From turbulent Trujillo to Australia's leading telco.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
Who do you trust most to protect your private data?







   |   View results
Your bank
  35%
 
Your insurance company
  5%
 
A technology company (Google, Facebook et al)
  9%
 
Your telco, ISP or utility
  8%
 
A retailer (Coles, Woolworths et al)
  4%
 
A Federal Government agency (ATO, Centrelink etc)
  18%
 
An Australian law enforcement agency (AFP, ASIO et al)
  15%
 
A State Government agency (Health dept, etc)
  7%
TOTAL VOTES: 3958

Vote
Do you support the abolition of the Office of the Information Commissioner?

   |   View results
I support shutting down the OAIC.
  27%
 
I DON'T support shutting the OAIC.
  73%
TOTAL VOTES: 1347

Vote