7h15 b|0g i5 d3f1n173|y f0r y0u, 1f y0u c4n r34d 7h15!!!

19 April, 2010

Oracle patches JWS vulnerability

Posted by CYbErCodE at 12:36 AM

by Steve Ragan

On Thursday, Oracle released an update for the JWS vulnerability discovered by researcher Travis Ormandy less than a week ago. The patch comes after Ormandy was informed that there would be no rush to address the issue, as it was not a high enough priority, and after attacks targeting the flaw were being exploited online.

Last Friday, Travis Ormandy posted to the Full Disclosure list an advisory that detailed a flaw located within the NPAPI ActiveX control/plug-in, called the Java Development Toolkit. The flaw would allow an attacker the ability to compromise a system simply by displaying a page. While most Java installations are on Windows-based systems, the same day Ormandy disclosed his findings, Rubén Santamarta reported the issue affected Linux as well.

“The toolkit provides only minimal validation of the URL parameter, allowing us to pass arbitrary parameters to the javaws utility, which provides enough functionality via command line arguments to allow this error to be exploited,” Ormandy wrote in his post to Full Disclosure.

“The simplicity with which this error can be discovered has convinced me that releasing this document is in the best interest of everyone except the vendor.”

Ormandy noted that Sun (owned by Oracle) was informed of the vulnerability, but said that there was no cause to break quarterly patch cycles to address it, as it was not a “high enough priority.”

“For various reasons, I explained that I did not agree, and intended to publish advice to temporarily disable the affected control until a solution is available,” Ormandy explained.

A few days after Ormandy posted his advisory, AVG noticed that the code was being used in live attacks online.

“The code involved is really simple, and that makes it easy to copy, so it's not surprising that just five days later, we're detecting that code at an attack server in Russia. The main lure so far seems to be a song lyrics publishing site, with Rihanna, Usher, Lady Gaga and Miley Cyrus being used, among others,” wrote AVG’s Roger Thompson.

Perhaps the live attacks altered Oracle’s stance on patching, perhaps not. In the end, everyone with Java installed on their systems should head here to get the patch.

Source: http://www.thetechherald.com/article.php/201015/5519/Oracle-patches-JWS-vulnerability

Labels: , , , , , , , , ,  

0 comments:

Post a Comment

Tu comentario será moderado la primera vez que lo hagas al igual que si incluyes enlaces. A partir de ahi no ser necesario si usas los mismos datos y mantienes la cordura. No se publicarán insultos, difamaciones o faltas de respeto hacia los lectores y comentaristas de este blog.

Subscribe to: Post Comments (Atom)