Sun Pushes Emergency Java Patch
Trailrunner7 writes "In a sudden about-face, Sun has rushed out a Java update to fix a drive-by download vulnerability that exposed Windows users to in-the-wild malware attacks. The patch comes less than a week after Sun told a Google researcher it did not consider the issue serious enough to warrant an out-of-cycle patch and less than a day after researchers spotted live exploits on a booby-trapped Web site. The flaw, which was also discovered independently by Ruben Santamarta, occurs because the Java-Plugin Browser is running 'javaws.exe' without validating command-line parameters. Despite the absence of documentation, a researcher was about to figure out that Sun removed the code to run javaws.exe from the Java plugin. The about-face by Sun is another sign that some big vendors still struggle to understand the importance of working closely with white hat researchers to understand the implications of certain vulnerabilities. In this case, Google's Tavis Ormandy was forced to use the full-disclosure weapon to force the vendor into a proper response."
I think White Hats need to not only use that threat, but follow up on it, more regularly so that serious flaws like this get the attention they deserve.
"There is a way that seems right to a man, but its end is the way of death." Proverbs 16:25 (NKJV)
about-face
drive-by
in-the-wild
out-of-cycle
booby-trapped
Java-Plugin
command-line
about-face
full-disclosure
That's not the problem.
The problem is, management (the people in control of the big corporations who harbor at most marginal technical aptitude) see the flaw but lack the imagination to understand how it could be used for real harm until they see it used for real harm.
(Actually, "lack the imagination" may be misleading. They are motivated to think that the problem is not a big deal, and they have no problem convincing themselves of this rather than exploring the possible threat scenarios.)
Full disclosure changes the risk from the company's point of view ("Oh, great, now we know people are trying to think of a way we're not seeing to exploit this") but the real tipping point is when they see a demonstration of harm being done (not merely a proof-of-concept that they can rationalize away).