Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Critical Vulnerability In Java Deployment Toolkit

  • Please log in to reply
1 reply to this topic

#1 Andrew


    Bleepin' Night Watchman

  • Moderator
  • 8,260 posts
  • Gender:Not Telling
  • Location:Right behind you
  • Local time:06:16 AM

Posted 10 April 2010 - 01:19 PM

Security researcher Tavis Ormandy has uncovered and publicized a serious flaw in the Java Web Start plugin which allows for arbitrary code execution in any browser that has the plugin installed. The vulnerability has been confirmed to affect Windows and may also affect Linux.

Oracle, which recently acquired Sun Microsystems, the developer of Java, does not seem to believe the flaw is serious enough to patch it immediately. According to Mr. Ormandy, when he advised Oracle/Sun of the flaw they responded that they "do not consider this vulnerability to be of high enough priority to break their quarterly patch cycle."

The vulnerable plugins are identified as the Java Deployment Toolkit ActiveX control in Internet Explorer and NPAPI in Mozilla Firefox.

Further reading:

The Register article
Full Disclosure advisory

BC AdBot (Login to Remove)


#2 RedDawn


  • Members
  • 454 posts
  • Gender:Not Telling
  • Local time:02:16 PM

Posted 15 April 2010 - 06:15 PM

Computerworld - Oracle today patched a critical Java vulnerability that is being exploited by hackers to install malicious software.

The security update to Java SE 6 Update 20 patches a bug disclosed last Friday by Google security researcher Tavis Ormandy, who spelled out how attackers could run unauthorized Java programs on a victim's machine by using a feature designed to let developers distribute their software. Only systems running Windows are at risk.

Oracle's patch appears quick and dirty, Ormandy said. "They've completely removed the vulnerable feature, literally replaced with 'return 0,'" he said on Twitter.


Update now! http://www.calendarofupdates.com/updates/i...;event_id=69663

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users