Tavis Ormand discovered the bug inside Java Web Start. Critical bug that exists inside Java Runtime Environment allows to remotely run code on any machine with Java 6.0 with update 10 or later. In practice anyone can be attacked by simply entering specially designed page.
To explain how the exploit can work, you need to know that ever since 1.6.10 Sun has distributed an NPAPI plugin (for firefox, chrome ect.) and ActiveX control (for Internet Explorer) called “Java Deployment Toolkit” that simplifies distributing applications to the end user by Web Start. The launch() method of this toolkit accepts url as a parameter, however this parameter is poorly validated, thus allowing passing arbitrary parameters. This parameter is later on passed to javaws, allowing to run any code on attacked machine.
Tavis Ormand created a Proof of Concept application to show exploit in use. Source of this PoC was published by Ruben Santamart. Currently there is no fix for the bug and according to Tavis Ormand, Oracle/Sun is not planning to do it quickly:
Sun has been informed about this vulnerability, however, they informed me they do not consider this vulnerability to be of high enough priority to break their quarterly patch cycle.
I wasn’t here for quite a while… For the last three months I was quite busy since my life has changed rapidly. To tell the long story short:
1. First this thing happend:
2. Then we went there:
3. And then I’ve learned the consequences
Meanwhile I changed my job, did one commercial project using WicketCool (I will write about it soon) and I can finally get back to my blog ;). Hope to see you all soon.
Today JSR-314 aka JSF 2.0 was finally released. Expert group was gathered 1st July 2007, so it took almost 2 years to finish the specification. I’m really looking forward to this spec, I am curious and anxious to see what is new. From what I heard, javalobby.com will pretty soon publish RefCards about JSF 2.0, so that should be a good place to start.
From what I saw so far, JSF2.0 tries to take up, where the JSF 1.0 left off. So we are going to hear lots about AJAX support and modularization. But just because those issues were taken into consideration, does not mean that they were handled the right way. 12 members of the expert group voted ‘yes’ for the new specification, however four were against. Those four includes Apache Foundation and IBM. I fear that, when new issues and problems arrive with this new specification, Apache and IBM will once again say ‘We told you so’.
But right now I’m patiently waiting for reference implementation to try JSF2.0 myself. I really hope that things will get better.
And remember, whatever you want to say about JSF (and me specially since I was recently ranting about it) remember this: JSF is now standard and times where you had to code in pure JSP at work are long long gone. Always better JSF then model2 jsp-servlet programming