Serious Java Flaws Unearthed

All current versions of Windows are prone to external attack due to a flaw within the Java Web Start Framework. Two security researchers made this announcement yesterday about the flaw. The flaw could lead into very simple Web attacks, to fatal attack on the system. Researchers Tavis Ormandy and Ruben Santamartamade separate statements on this. You can find Travis’s one over here and Santamarta’s one over here.

If you send the information from the command line, Java Web Start doesn’t validate it. That enables the attackers to send especially HTML tags from a Web page. All versions of Java SE 6 update 10 for Microsoft Windows are vulnerable to this attack.  If you disable the plugin, it doesn’t necessarily mean that you will be able to avoid the attack because the toolkit can be installed independently.

Until Sun releases any patch, the temporary workaround is not to use java or to Disable javaws/javaws.exe and disable Deployment Toolkit. Ormandy contacted with the SUN officials about the flaws. But, they think that the flaws are not serious in nature. So, they can not warrant any quarterly release of this patch.