Nifty Java bug could lead to attack

The attack gives hackers a way to run unauthorized software on a victim's computer

A Google researcher has published details of a Java virtual machine bug that could be used to run unauthorized programs on a computer.

The attack was disclosed Friday by Google's Tavis Ormandy, who said he had notified Oracle's Sun team about the flaw earlier. "They informed me that they do not consider this vulnerability to be of high enough priority to break their quarterly patch cycle," Ormandy wrote. "I did not agree."

Oracle declined to comment on the issue. The company just released a major Java update last week and its next set of patches is due in July.

The attack could give hackers a way to run unauthorized Java programs on a victim's machine. They can do this because Java allows developers to tell the Java virtual machine to install alternate Java libraries. By creating a malicious library and then telling the JVM to install it, an attacker could run his malicious program.

Oracle is making a mistake, not patching the bug immediately, said Marc Maiffret, chief security architect with FireEye, via instant message.

The bug is particularly nasty because it's due to a design flaw in Java, rather than the type of programming error that would lead to a more common buffer-overflow attack. "It is a neat bug," he said.

However, Java-based attacks are still rare, and rather than developing a brand-new type of attack, criminals are more likely to spend their time using known vectors such as the browser or Adobe Reader, said Russ Cooper, a senior information security analyst with Verizon Business.

"Java has not been exploited to any extent that should worry the average consumer, heck, or business for that matter," he said via instant message.

The flaw affects "all versions since Java SE 6 update 10 for Microsoft Windows," Ormandy said. Linux users may also be affected, Symantec said in a note on the issue.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Robert McMillan

IDG News Service
Topics: security, java
Comments are now closed.

Latest News Articles

Most Popular Articles

Follow Us

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Resources

Best Deals on GoodGearGuide

Compare & Save

Deals powered by WhistleOut
Use WhistleOut's technology to compare:
Mobile phone plans & deals
Mobile phone models
Mobile phone carriers
Broadband plans & deals
Broadband providers
Deals powered by WhistleOut
WhistleOut

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?