All the latest UK technology news, reviews and analysis

Zero-day Java flaw opens users to attack

by Iain Thomson

10 Apr 2010

Comment: 1

  • Tweet this
Java
The Java zero-day flaw will go unpatched

Security researchers have warned of a flaw in Java that could allow malware writers to inject code onto user's machines.

The flaw is in the Java Web Start system built for developers, and affects every version since Java 6 Update 10.

Further reading

The code contains a NPAPI plug-in and ActiveX control called Java Deployment Toolkit which does not check the full parameters of URLs.

"The toolkit provides only minimal validation of the URL parameter, allowing us to pass arbitrary parameters to the [Java Web Start] utility, which provides enough functionality via command line arguments to allow this error to be exploited," wrote researcher Tavis Ormandy on the Full Disclosure mailing list.

"The simplicity with which this error can be discovered has convinced me that releasing this document is in the best interest of everyone except the vendor."

Ormandy explained that the flaw leaves all Windows users of Java open to attack. He published his findings because Sun Microsystems owner Oracle does not consider the bug important enough to break its quarterly patching schedule.

"Sun has been informed about this vulnerability, however, they informed me they do not consider this vulnerability to be of high enough priority to break their quarterly patch cycle," he said.

"For various reasons, I explained that I did not agree, and intended to publish advice to temporarily disable the affected control until a solution is available."

Do you agree?

Add your comment

Well now we know where Ellison stands on JAVA

Otherwise they would be working on an out of band patch for this run code vulnerability.

Posted by: FDunn 05 Jul 2010

Add your comment
 

Add your comment

We won't publish your address
By submitting a comment you agree to abide by our Terms & Conditions. Your comment will be moderated before publication.
Submit your comment

Latest stories from Open Source

Android and Java logos

Oracle dealt critical blow in Android case as judge dismisses Java copyright claim

Related white papers

Related videos

Related articles

Related jobs

Today's top stories

Olympics

Top 10 steps businesses can take to prepare for the Olympics

amazon-kindle-touch-e-book-reader

Amazon Kindle Touch review

London Underground train going into tunnel

Virgin reveals 82 London Underground stations to receive Wi-Fi

Poll

Flame virus poll

Are you confident that the UK's IT infrastructure is secure from attack in the wake of the Flame malware revelations?

35%

0%

11%

54%

Features

V3's Madeline Bennett

It's time to change tax system to bring technology manufacturing back to the UK

The V3 hotseat

The V3 Hot Seat: Imperva CTO and co-founder Amichai Shulman

Flame in monitor screen

Quick guide to Flame malware attack

cookies

Quick guide to cookie law compliance

More features

Connect with V3.co.uk

Sign up to our daily or weekly newsletters

Case studies and reports

Symanteccloud

Social networking: a guide for IT managers

Social networking is almost ubiquitous. This white paper examines the benefits and risks and it looks at the different ways companies can reconcile them

Riverbed

Mitigating the risks of IT change

The importance of understanding your infrastructure

Technology jobs

Lead PHP Developer - Technical Architect - Ecommerce Manager

Lead PHP Developer - Technical Architect - Ecommerce...

C# / .NET Software Engineers – Leeds City Centre – C# (£30-50k)

C# Software Engineers required to join rapidly expanding...

Java / J2EE Developers – Leeds City Centre – Java / J2EE (£30-50k)

Java / J2EE Software Engineers required to join rapidly...

Developer (MIS - SQL / T-SQL, HTML, CSS or Javascript)

Developer (MIS / Business Systems - SQL / T-SQL, HTML...

To send to more than one email address, simply separate each address with a comma.