Skip to main content

Java hole makes Windows vulnerable

A serious vulnerability in Java that has been kicking around for a couple of years has been exposed as dangerous.

The hole affects current versions of Windows rendering them open to simple fly-by attacks that could lead to a complete compromise of the system.

According to security researcher Ruben Santamarta, Sun's Java Web Start framework does not properly validate parameters passed to it from the command line, so attackers could control the parameters using HTML tags on a Web page.

In a separate posting yesterday, Tavis Ormandy detailed the same bug on the Full Disclosure mailing list. Ormandy warned that disabling the Java plug-in may not prevent exploitation, since the vulnerable component installs separately.

Ormandy said he had notified Sun about the vulnerability but the company did not deem it serious enough to warrant a quick fix.

"The simplicity with which this error can be discovered has convinced me that releasing this document is in the best interest of everyone except the vendor," Ormandy wrote. Basically if you have Java on your system you're likely to be vulnerable.

In short, if you have a recent version of Java running on a Windows machine, you're affected by this flaw.

According to Santamarta, the JavaWS is used by all the major browsers including Firefox, Internet Explorer and Chrome, on all versions of Windows from 2000 to Windows 7,.

The workaround for this is to disable both JavaWS and Javaws.exe, Santamarta said in his advisory.