Java provides remote attack vector on all platforms

Lee · **Author**

http://www.auscert.org.au/render.html?it=7664
http://www.java.com/en/download/manual.jsp

I could see this being a huge problem for many millions of people.

Zenith77 · 07-13-2007 , 14:17 Re: Java provides remote attack vector on all platforms

I can't help but laugh.

Twilight Suzuka · 07-13-2007 , 15:29 Re: Java provides remote attack vector on all platforms

Doesn't seem any worst than printf attacks

Zenith77 · 07-13-2007 , 15:53 Re: Java provides remote attack vector on all platforms

Quote:

Originally Posted by Twilight Suzuka

Doesn't seem any worst than printf attacks

Yea, but from what little I understand on this is all that needs to happen is for the picture to load in a java app. Place this on a highly visited web site and o noes.

TheNewt · 07-13-2007 , 15:57 Re: Java provides remote attack vector on all platforms

Okay... So basically another exploit that prays on the stupid? That is fantastic.

Lee · *Last edited by Lee; 07-13-2007 at 16:33.*

I run my browsers and email clients without administrative privileges for obvious reasons, but I've resisted installing NoScript until now because there are so many sites that don't graciously handle Java and Javascript being disabled.

People who don't patch their software when they're aware of an update are indeed stupid, but you can't expect end users to monitor security bulletins. I only found out about this by coincidence when reading Slashdot. For something as ubiquitous and easily exploitable as Java, there should at the very least be a notification that a security update has been released.

What printf() attacks?

commonbullet · *Last edited by commonbullet; 07-13-2007 at 20:00.*

This, I suppose:
http://en.wikipedia.org/wiki/Format_string_attacks

I guess jre users are notified about software updates (or automatically updated?) by default.

Lee · *Last edited by Lee; 07-13-2007 at 20:28.*

No.. At least I wasn't, and I wouldn't knowingly disable such a feature unless it became intrusive.

Edit: It probably does actually - once a month by default it seems. I opened the Java options dialogue in Control Panel and I'm immediately presented with the option to unblock it by my firewall. Theoretically that should have happened as soon as it checked for updates. I'm really not sure what I should blame for the auto-update not working, but if it does usually work, this is nowhere near as bad as I originally made out.

Edit: The update feature is a separate executable that was automatically allowed by my firewall when I ran it manually - meaning it was the first time it had ever been launched contrary to what the options dialogue displayed. I'm really confused.

BAILOPAN · 07-13-2007 , 21:17 Re: Java provides remote attack vector on all platforms

FUD