Java Zero-Day Vulnerability RevealedJava Zero-Day Vulnerability Revealed
The flaw affects users of both Windows and Linux.
April 9, 2010

Details of a zero-day Java vulnerability were published on Friday by Tavis Ormandy, an information security engineer at Google.
The vulnerability resides within an NPAPI plugin and ActiveX control called "Java Deployment Toolkit."
"The toolkit provides only minimal validation of the URL parameter, allowing us to pass arbitrary parameters to the javaws utility, which provides enough functionality via command line arguments to allow this error to be exploited," Ormandy wrote in a post to a security mailing list.
He says that the ease with which this error can be discovered has convinced him that it's in everyone's interest -- except Sun's -- to release the details.
Ormandy says that all versions of Java since Java SE 6 update 10 for Microsoft Windows appear to be affected by this vulnerability.
In a blog post, Qualys CTO Wolfgang Kandek points to a technical analysis of the flaw by Ruben Santamarta, who notes that Linux is affected as well.
"The vulnerability allows an attacker to execute remote code on the target machine and can be triggered by a user visiting a simple Web page," said Kandek. "It is located in the Java Web Start component and is present on Java running on Windows Operating Systems."
In his mailing list post, Ormandy has included a link to a Web page that launches proof-of-concept exploit code.
A patch is not yet available, but Ormandy suggests several workarounds.
He also says that Sun has been informed of the flaw but does not consider it serious enough to issue and patch outside of its quarterly cycle.
Read more about:
2010About the Author(s)
You May Also Like
Hacking Your Digital Identity: How Cybercriminals Can and Will Get Around Your Authentication Methods
Oct 26, 2023Modern Supply Chain Security: Integrated, Interconnected, and Context-Driven
Nov 06, 2023How to Combat the Latest Cloud Security Threats
Nov 06, 2023Reducing Cyber Risk in Enterprise Email Systems: It's Not Just Spam and Phishing
Nov 01, 2023SecOps & DevSecOps in the Cloud
Nov 06, 2023