Sun Releases Out-Of-Cycle Java Patch To Prevent Drive-By, In-The-Wild Attacks

A week ago Sun (the makers of the Java platform) told a Google researcher (Tavis Ormandy) that it did not consider a known exploit to be serious enough to patch.

Ormandy said:
Sun has been informed about this vulnerability, however, they informed me they do not consider this vulnerability to be of high enough priority to break their quarterly patch cycle.

For various reasons, I explained that I did did not agree, and intended to publish advice to temporarily disable the affected control until a solution is available.

However, in an unexpected turn about, Sun released a patch for this exploit once reports started coming in that users were being infected by drive-by, in-the-wild Java attacks.
The flaw which was discovered independently, occurs because the Java-Plugin Browser is running “javaws.exe” without validating command-line parameters. To protect yourself and your clients from it, update to the most recent version of Java here.

Join 16,500+ other happy readers and subscribe to Technibbles Email Digest and receive new posts sent directly to your inbox. All new signups get a copy of our Computer Technicians Quick Reference Guide free. Signup Now!

Your Blogmaster is Bryce Whitty
Bryce Whitty is a Professional Computer Technician who started his business when he was 17 year old. Bryce writes Technibble articles about Business How-to's and stories from "the trenches".

Other Blog posts by Bryce Whitty

Computer Repair Rochester NH says:

April 18th, 2010 at 7:19 am

If we were all running Solaris we would be better off.

MI Computer Repair says:

April 18th, 2010 at 11:22 am

Command line validation hack, eh? Sounds like a pretty simple fix.