Users at a Severe Code-execution Risk from Java Bug
Researchers, on April 9, 2010, warned users of the bug in Java technology, which could be exploited by hackers to endanger systems that run Windows if they visit a malicious Web page.
Security researcher Ruben Santamarta, an engineer for Wintercore, said that parameters passed to Sun's Java Web Start framework from the command line were not validated appropriately. Hence, the attackers could gain control over the parameters via HTML tags on a Web page, as per the news published by THINQ.co.uk on April 10, 2010.
Reportedly, this attack could give a way to hackers to execute illegal Java programs on the system of a victim. This can be done because Java permits developers to command the Java virtual machine to implant alternate/ malicious Java libraries. An attacker can easily execute his malicious program simply by developing a malicious library and then asking the JVM to install it on the system.
Google engineer Tavis Ormandy, another fellow researcher, explained about the same virus on the Full Disclosure mailing list. According to him, disabling the Java plug-in might not be sufficient to avoid the exploitation as the susceptible element installs independently, as per the news published by THINQ.co.uk on April 10, 2010.
In yet another post, Ormandy said that he notified the Sun about the issue, but he was told that it was not regarded as top priority to release a patch outside the routine quarterly patch cycle, as per the news published by cnet news on April 9, 2010.
Marc Maiffret, the chief security architect with FireEye, through instant message, stated that by not fixing the bug instantly, Oracle is committing a mistake, as per the news published by PCWORLD on April 9, 2010.
Marc also said that it's a neat bug, and is particularly vicious as it is a result of design fault in Java, and not a kind of programming blunder which would result in a more widespread buffer-overflow attack.
Related article: Users Making Opening Online Accounts To Identify Thefts
» SPAMfighter News - 21-04-2010