Zero-day flaw in Java puts Windows users at (even more) risk
Tavis Ormandy, a Google engineer, provided details on the Full Disclosure email list, and Ruben Santamarta, an engineer at Wintercore, wrote about the vulnerability on his company blog site.
“Since Java 6 Update 10, Sun has distributed an NPAPI plugin and ActiveX control called “Java Deployment Toolkit” to provide developers with a simpler method of distributing their applications to end users. This toolkit is installed by default with the JRE and marked safe for scripting.”
“The toolkit provides only minimal validation of the URL parameter, allowing us to pass arbitrary parameters to the javaws [Java Web Start] utility, which provides enough functionality via command line arguments to allow this error to be exploited,” Ormandy wrote. “The simplicity with which this error can be discovered has convinced me that releasing this document is in the best interest of everyone except the vendor.”
“All versions since Java SE 6 update 10 for Microsoft Windows are believed to be affected by this vulnerability. Disabling the java plugin is not sufficient to prevent exploitation, as the toolkit is installed independently.”
“I believe non-Windows installations are unaffected.”
“For various reasons, I explained that I did did not agree, and intended to publish advice to temporarily disable the affected control until a solution is available.”
Ormandy offers workarounds to mitigate the problem.
Who said the Code War was over?
-Bill at
Cheshire Cat Photo™ – “Your Guide to California’s Wonderland™”
You can view higher-resolution photos (*generally* 7-30 megabytes, compressed) at the Cheshire Cat Photo™ Pro Gallery on Shutterfly™, where you can also order prints and gifts decorated with the photos of your choice from the gallery. Apparel and other gifts decorated with some of our most popular photos can be ordered from the Cheshire Cat Photo™ Store on CafePress®. Both Shutterfly™ and CafePress® ship to most international locations worldwide! Framed prints and prints on canvas can be ordered from our galleries on imagekind® and redbubble®. All four locations are accessible from here. Be a “Facebook Fan” of Cheshire Cat Photo here! If you don’t see what you want or would like to receive an email when new photos are up on the site, send us an email at info@cheshirecatphoto.com.
©2010 William F. Hackett. All Rights Reserved.