Sponsored By

Java Zero-Day Vulnerability RevealedJava Zero-Day Vulnerability Revealed

The flaw affects users of both Windows and Linux.

Thomas Claburn

April 9, 2010

1 Min Read

Details of a zero-day Java vulnerability were published on Friday by Tavis Ormandy, an information security engineer at Google.

The vulnerability resides within an NPAPI plugin and ActiveX control called "Java Deployment Toolkit."

"The toolkit provides only minimal validation of the URL parameter, allowing us to pass arbitrary parameters to the javaws utility, which provides enough functionality via command line arguments to allow this error to be exploited," Ormandy wrote in a post to a security mailing list.

He says that the ease with which this error can be discovered has convinced him that it's in everyone's interest -- except Sun's -- to release the details.

Ormandy says that all versions of Java since Java SE 6 update 10 for Microsoft Windows appear to be affected by this vulnerability.

In a blog post, Qualys CTO Wolfgang Kandek points to a technical analysis of the flaw by Ruben Santamarta, who notes that Linux is affected as well.

"The vulnerability allows an attacker to execute remote code on the target machine and can be triggered by a user visiting a simple Web page," said Kandek. "It is located in the Java Web Start component and is present on Java running on Windows Operating Systems."

In his mailing list post, Ormandy has included a link to a Web page that launches proof-of-concept exploit code.

A patch is not yet available, but Ormandy suggests several workarounds.

He also says that Sun has been informed of the flaw but does not consider it serious enough to issue and patch outside of its quarterly cycle.

Read more about:


About the Author(s)

Thomas Claburn

Editor at Large, Enterprise Mobility

Thomas Claburn has been writing about business and technology since 1996, for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business. Before that, he worked in film and television, having earned a not particularly useful master's degree in film production. He wrote the original treatment for 3DO's Killing Time, a short story that appeared in On Spec, and the screenplay for an independent film called The Hanged Man, which he would later direct. He's the author of a science fiction novel, Reflecting Fires, and a sadly neglected blog, Lot 49. His iPhone game, Blocfall, is available through the iTunes App Store. His wife is a talented jazz singer; he does not sing, which is for the best.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights