Members
  • Total Members: 12811
  • Latest: nodrog
Stats
  • Total Posts: 28507
  • Total Topics: 8238
  • Online Today: 852
  • Online Ever: 51419
  • (01. January 2010., 10:27:49)












Author Topic: Nifty Java Bug Could Lead to Attack  (Read 1267 times)

0 Members and 1 Guest are viewing this topic.

Samker

  • SCF Administrator
  • *****
  • Posts: 7206
  • KARMA: 291
  • Gender: Male
  • Whatever doesn't kill us makes us stronger.
    • SCforum.info - Samker's Computer Forum
Nifty Java Bug Could Lead to Attack
« on: 10. April 2010., 08:21:00 »


A Google researcher has published details of a Java virtual machine bug that could be used to run unauthorized programs on a computer.

The attack was disclosed  Friday by Google's Tavis Ormandy, who said he had notified Oracle's Sun team about the flaw earlier: http://seclists.org/fulldisclosure/2010/Apr/119
"They informed me that they do not consider this vulnerability to be of high enough priority to break their quarterly patch cycle," Ormandy wrote. "I did not agree."

Oracle declined to comment on the issue. The company just released a major Java update last week and its next set of patches is due in July: http://www.oracle.com/technology/deploy/security/critical-patch-updates/javacpumar2010.html

The attack could give hackers a way to run unauthorized Java programs on a victim's machine: http://www.reversemode.com/index.php?option=com_content&task=view&id=67&Itemid=1
They can do this because Java allows developers to tell the Java virtual machine to install alternate Java libraries. By creating a malicious library and then telling the JVM to install it, an attacker could run his malicious program.

Oracle is making a mistake, not patching the bug immediately, said Marc Maiffret, chief security architect with FireEye, via instant message.

The bug is particularly nasty because it's due to a design flaw in Java, rather than the type of programming error that would lead to a more common buffer-overflow attack. "It is a neat bug," he said.

However, Java-based attacks are still rare, and rather than developing a brand-new type of attack, criminals are more likely to spend their time using known vectors such as the browser or Adobe Reader, said Russ Cooper, a senior information security analyst with Verizon Business.

"Java has not been exploited to any extent that should worry the average consumer, heck, or business for that matter," he said via instant message.

The flaw affects "all versions since Java SE 6 update 10 for Microsoft Windows," Ormandy said. Linux users may also be affected, Symantec said in a note on the issue: http://www.symantec.com/security_response/threatcon/index.jsp

(PCW)

Samker's Computer Forum - SCforum.info

Nifty Java Bug Could Lead to Attack
« on: 10. April 2010., 08:21:00 »




 

With Quick-Reply you can write a post when viewing a topic without loading a new page. You can still use bulletin board code and smileys as you would in a normal post.

Name: Email:
Verification:
Type the letters shown in the picture
Listen to the letters / Request another image
Type the letters shown in the picture:
Second Anti-Bot trap, type or simply copy-paste below (only the red letters):www.scforum.info:

Enter your email address to receive daily email with 'SCforum.info - Samker's Computer Forum' newest content:

Terms of Use | Privacy Policy | Advertising