Java flaw exposes Windows users to attacks

Two researchers disclose zero-day flaw in Java that affects Windows computers running major browsers.

Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
Elinor Mills

A vulnerability in Java technology could be exploited by attackers and used to compromise computers running Windows if they visit a Web page hosting malicious code, two researchers warned on Friday.

Google engineer Tavis Ormandy released details on the Full Disclosure e-mail list and Ruben Santamarta, an engineer for Wintercore, wrote about it on his company's blog site.

The problem is with the Java Web Start framework, which allows developers an easy way to create Java applications. Disabling the Java plug-in will not protect against an attack, according to Ormandy.

"The toolkit provides only minimal validation of the URL parameter, allowing us to pass arbitrary parameters to the javaws [Java Web Start] utility, which provides enough functionality via command line arguments to allow this error to be exploited," Ormandy wrote. "The simplicity with which this error can be discovered has convinced me that releasing this document is in the best interest of everyone except the vendor."

The vulnerability affects all current versions of Windows and the major browsers including Firefox, Internet Explorer and Chrome, according to Kaspersky Lab's Threat Post blog.

Ormandy said he informed Sun about the problem but was told it was not considered high enough priority to issue a patch outside of the regular quarterly patch cycle.

Representatives at Oracle, which recently acquired Sun Microsystems, did not respond to a phone call and e-mails seeking comment late on Friday.