Skip to: [ search ] [ menus ] [ content ] Select style [ Aqua ] [ Citrus ] [ Fire ] [ Orange ] [ show/hide more content ]

Zero-day flaw in Java puts Windows users at (even more) risk

Two researchers reported today that a vulnerability in Java technology could be used by attackers to compromise computers running Windows, if a Web page with malicious code is visited.

Tavis Ormandy, a Google engineer, provided details on the Full Disclosure email list, and Ruben Santamarta, an engineer at Wintercore, wrote about the vulnerability on his company blog site.

According to Ormandy:

“Since Java 6 Update 10, Sun has distributed an NPAPI plugin and ActiveX control called “Java Deployment Toolkit” to provide developers with a simpler method of distributing their applications to end users. This toolkit is installed by default with the JRE and marked safe for scripting.”

“The toolkit provides only minimal validation of the URL parameter, allowing us to pass arbitrary parameters to the javaws [Java Web Start] utility, which provides enough functionality via command line arguments to allow this error to be exploited,” Ormandy wrote. “The simplicity with which this error can be discovered has convinced me that releasing this document is in the best interest of everyone except the vendor.”

“All versions since Java SE 6 update 10 for Microsoft Windows are believed to be affected by this vulnerability. Disabling the java plugin is not sufficient to prevent exploitation, as the toolkit is installed independently.”

“I believe non-Windows installations are unaffected.”

“Sun has been informed about this vulnerability, however, they informed me they do not consider this vulnerability to be of high enough priority to break their quarterly patch cycle.”

“For various reasons, I explained that I did did not agree, and intended to publish advice to temporarily disable the affected control until a solution is available.”

Ormandy offers workarounds to mitigate the problem.

Representatives at Oracle, which recently acquired Sun Microsystems, did not respond to a phone call and emails seeking comment late today.

Who said the Code War was over? :-)

-Bill at

Cheshire Cat Photo™ – “Your Guide to California’s Wonderland™”

You can view higher-resolution photos (*generally* 7-30 megabytes, compressed) at the Cheshire Cat Photo™ Pro Gallery on Shutterfly™, where you can also order prints and gifts decorated with the photos of your choice from the gallery. Apparel and other gifts decorated with some of our most popular photos can be ordered from the Cheshire Cat Photo™ Store on CafePress®. Both Shutterfly™ and CafePress® ship to most international locations worldwide! Framed prints and prints on canvas can be ordered from our galleries on imagekind® and redbubble®. All four locations are accessible from here. Be a “Facebook Fan” of Cheshire Cat Photo here! If you don’t see what you want or would like to receive an email when new photos are up on the site, send us an email at info@cheshirecatphoto.com.

©2010 William F. Hackett. All Rights Reserved.

No Comments to “Zero-day flaw in Java puts Windows users at (even more) risk”

  (RSS feed for these comments)

You must be logged in to post a comment.

InspectorWordpress has prevented 52153 attacks.
Get Adobe Flash player