navigation bar left navigation bar right

Secunia CSI7
navigation left tab About us navigation right tab
navigation left tab Careers navigation right tab
navigation left tab Memberships navigation right tab
navigation left tab Newsroom navigation right tab
navigation left tab Contact us navigation right tab

Oracle Java Critical Vulnerability Affects Most Users

Get this blog as an RSS Feed
13:56 CET on the 12th April 2010
Entry written by Alin Rad Pop.

The JRE (Java Runtime Environment) update released by Oracle at the end of March covered 20 vulnerabilities, some of which were marked "Highly critical" by Secunia. You may have the feeling of your system being more secure after applying that update, but few users probably expected that another "Highly critical" vulnerability would become public soon after.

Today, Secunia issued SA39260. This advisory covers a vulnerability in a number of browser plugins installed by default with JRE, commonly termed the Java Deployment Toolkit. The vulnerability was independently reported by Tavis Ormandy and Ruben Santamarta; both providing good descriptions of the problem. Basically, a call to CreateProcessA() is issued by the Java Deployment Toolkit without sanitising command line arguments. This further allows injecting arbitrary JVM arguments and execute code in a privileged context, leading to a complete system compromise when visiting a web site.

This vulnerability is particularly interesting for an attacker as in-depth memory protection mechanisms on modern Windows operating systems such as DEP (Data Execution Prevention) and ASLR (Address Space Layout Randomization) provide no mitigation. Consequently, we expect to soon see attempts to exploit this vulnerability in the wild.

We hope that Oracle decides to provide an update soon. Meanwhile, Java users are recommended to delete or restrict access to all deployment plugins and set the kill-bit for affected ActiveX controls.

Stay Secure,

Alin Rad Pop,
Senior Security Specialist

Discuss this blog entry
A new thread in our forum is created. Activate the thread by commenting/discussing below.
Subject: Oracle Java Critical Vulnerability Affects Most Users
No posts yet


You must be logged in to post a comment.

 Products Solutions Customers Partner Resources Company
Vulnerability Intelligence Manager (VIM)
Corporate Software Inspector (CSI)
Personal Software Inspector (PSI)
Online Software Inspector (OSI)
Technology Partners
 About us

Secunia is a member of FIRST Secunia is a member of EDUcause Secunia is a member of The Open Group Secunia is a member of FS-ISAC
Secunia © 2002-2015 Secunia ApS - Rued Langgaards Vej 8, 4th floor, DK-2300 Copenhagen, Denmark - +45 7020 5144
Terms & Conditions and Copyright - Privacy - Report Vulnerability - Disclaimer
follow Secunia on Facebook follow Secunia on Twitter follow Secunia on LinkedIn follow Secunia on YouTube follow Secunia Xing follow Secunias RSS feed follow Secunia on Google+