A vulnerability in Java technology could be exploited by attackers and used to compromise computers running Windows if they visit a Web page hosting malicious code, two researchers warned on Friday.
The problem is with the Java Web Start framework, which allows developers an easy way to create Java applications. Disabling the Java plug-in will not protect against an attack, according to Ormandy.
"The toolkit provides only minimal validation of the URL parameter, allowing us to pass arbitrary parameters to the javaws [Java Web Start] utility, which provides enough functionality via command line arguments to allow this error to be exploited," Ormandy wrote. "The simplicity with which this error can be discovered has convinced me that releasing this document is in the best interest of everyone except the vendor."
Ormandy said he informed Sun about the problem but was told it was not considered high enough priority to issue a patch outside of the regular quarterly patch cycle.
Representatives at Oracle, which recently acquired Sun Microsystems, did not respond to a phone call and e-mails seeking comment late on Friday.