Serious New Java Flaw Affects All Browsers

Trailrunner7 writes "There is a serious vulnerability in Java that makes all current browsers vulnerable to simple Web-based attacks that could lead to a complete compromise of the affected system. Two separate researchers released information on the vulnerability on Friday, saying that it has been present in Java for years. The problem lies in the Java Web Start framework, a technology that Sun Microsystems developed to enable the simplified deployment of Java applications. In essence, the JavaWS technology fails to validate parameters passed to it from the command line, and attackers can control those parameters using specific HTML tags on a Web page, researcher Ruben Santamarta said in an advisory posted Friday morning."

Re:Java has had a built-in backdoor

[petermgreen]

Personally I doubt this was deliberate.

The ability to load a different version of the jvm dll sounds like a debugging feature and normally someone running java from the command line would have the ability to run anything else anyway so it wouldn't really seem like a security flaw.

Processing untrusted stuff to allow it to be passed to an interface designed to take trusted stuff is known to be something that is easy to fuck up. Just look at all the sql injection attacks over the years.