Serious New Java Flaw Affects All Browsers

Posted by Soulskill on Friday April 9, 2010 @09:20AM from the at-least-it's-consistent dept.

Trailrunner7 writes "There is a serious vulnerability in Java that makes all current browsers vulnerable to simple Web-based attacks that could lead to a complete compromise of the affected system. Two separate researchers released information on the vulnerability on Friday, saying that it has been present in Java for years. The problem lies in the Java Web Start framework, a technology that Sun Microsystems developed to enable the simplified deployment of Java applications. In essence, the JavaWS technology fails to validate parameters passed to it from the command line, and attackers can control those parameters using specific HTML tags on a Web page, researcher Ruben Santamarta said in an advisory posted Friday morning."

2 of 164 comments (clear)

Min score:

Reason:

Sort:

Re:Article Contents by binarylarry · 2010-04-09 09:35 · Score: 5, Informative

Actually it affected Linux browsers too.
However, it was fixed a few updates ago: http://java.sun.com/javase/6/webnotes/6u17.html

--
Mod me down, my New Earth Global Warmingist friends!
Some precisions.... by ls671 · 2010-04-09 10:06 · Score: 5, Informative

Using Java Web Start is comparable to clicking "Yes" when prompted to install "spyware.exe" or any other exe file. Java Web Start is a framework to deploy native Java applications on your machine more easily. Of course, you must trust the source just as you must trust the source when you install an exe file or Unix executable file.
Java Web Start is in no way comparable to Flash, Java Applets or the like that start executing in your browser without your permission and where a sandbox is used to run the code.
I thought this should be made clearer... ;-))

--
Everything I write is lies, read between the lines.