Java drive-by vulnerabillity update (6u20)

[Doomster]

http://blogs.zdnet.com/security/?p=6186&tag=nl.e540

 

In a sudden about-face, Sun has rushed out a Java update to fix a drive-by download vulnerability that exposed Windows users to in-the-wild malware attacks.

 

Java 6 Update 20 does not specifically mention this fix, but it does fix the issue.

[darksonic45]

Thanks for the heads up. Downloading the fix now.

[Solartide]

Can't help but wonder what if one day, the people at Sun, Google, Microsoft, etc, decide to turn rogue. They release this sensational story of a huge vulnerability and a patch that all users must immediately download to save their computers. Little does the user know that the "patch" they downloaded is the malware itself, paving a path for world domination by the three companies.

[anonymouse_]

Good stuff :thumbup:

[Solartide]

Also: This is why you turn Java off, or use NoScript.

[sees_all1]

Can't help but wonder what if one day, the people at Sun, Google, Microsoft, etc, decide to turn rogue. They release this sensational story of a huge vulnerability and a patch that all users must immediately download to save their computers. Little does the user know that the "patch" they downloaded is the malware itself, paving a path for world domination by the three companies.

Well, you don't have to worry about sun anymore. You need to worry about oracle. :D

[nightshade53]

mac ftw

[Jard_Y_Dooku]

Also: This is why you turn Java off, or use NoScript.

 

This is why you turn your computer off.

 

[hide]There's vulnerabilities in the operating system, too...[/hide]

 

mac ftw

 

There could just as easily be a vulnerability in the Mac version of Java.

[Ronan]

I would boast about Linux at this point, but one of the white-hats mentioned that although they couldn't exploit linux-versions of Java with this exact vulnerability, it may just require a different approach :-

Although Linux contains vulnerable code, I was unable to exploit it in the same manner. It likely can be exploited by using the proper sequence of command-line arguments, but the sudden release didn't allow me to research into this issue.I was focused on Windows at the moment of the disclosure.

 

There could just as easily be a vulnerability in the Mac version of Java.

Interestingly enough, according to the 0day-related page linked to from the article (here), MacOSX isn't actually vulnerable, yet Windows and Linux are.

 

Glad they changed their mind on the update though! :)

[Louisc111]

I'd already updated my Java by coincidence, but Norton 360 took care of this problem (blocked the test page) before it even loaded, so Norton users should also be ok.

 

Thanks for the info though.

[paul191600]

So what exactly was the bad page?

[Ronan]

So what exactly was the bad page?

It seems the proof-of-concept page simply opened up the Calculator application on windows by launching a java web-start application to show the vulnerability. I'm not certain if the vulnerability actually was utilised for harm but a lot of it seems to have just been emphasis on the vulnerability being present rather than being used by anyone - I'm quite sure we could well have seen it being used for worse if they hadn't released an update.

[pulli23]

Lol these kind of vulnerabilities come like... weekly.

You really don't have to get dramatic over it, it more or less normal to have nowadays.

[DeeKay]

No biggie. It's not that http://runescape.com was any security threat, and if you go to fishy websites you're at risk regardless of Java.