JRE Exploit happened!
Tavis Ormand discovered the bug inside Java Web Start. Critical bug that exists inside Java Runtime Environment allows to remotely run code on any machine with Java 6.0 with update 10 or later. In practice anyone can be attacked by simply entering specially designed page.
To explain how the exploit can work, you need to know that ever since 1.6.10 Sun has distributed an NPAPI plugin (for firefox, chrome ect.) and ActiveX control (for Internet Explorer) called “Java Deployment Toolkit” that simplifies distributing applications to the end user by Web Start. The launch() method of this toolkit accepts url as a parameter, however this parameter is poorly validated, thus allowing passing arbitrary parameters. This parameter is later on passed to javaws, allowing to run any code on attacked machine.
Tavis Ormand created a Proof of Concept application to show exploit in use. Source of this PoC was published by Ruben Santamart. Currently there is no fix for the bug and according to Tavis Ormand, Oracle/Sun is not planning to do it quickly:
Sun has been informed about this vulnerability, however, they informed me they do not consider this vulnerability to be of high enough priority to break their quarterly patch cycle.
Leave a Reply
Recent Comments
 | KosciaK on Changing my blog… A… |
 | Naresh on JPA 2.0 and Spring 3.0 with… |
| Writing readable and… on Test template you should alway… | |
 | paulszulc on Java Killers #002 – Add… |
| paulszulc on Installing Liferay with MySQL,… |
Visitors
Seems that it is Oracle’s problem now…
c.d.:
- Secunia: http://secunia.com/advisories/39260
- no i nowa wersja: http://java.sun.com/javase/6/webnotes/6u20.html
I should have been in English in fact