Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Another critical Java vulnerability puts 1 billion users at risk

Darlene Storm | Sept. 26, 2012
Just as Oracle is ramping up for the September 30 start of JavaOne 2012 in San Francisco, researchers from the Polish firm Security Explorations disclosed yet another critical Java vulnerability that might "spoil the taste of Larry Ellison's morning...Java."

You disclosed that the bug allows attackers to violate a fundamental security constraint of a Java Virtual Machine (type safety). What could an attacker do by exploiting newest Java vulnerability?

Gowdiak: A malicious Java applet or application exploiting this new issue could run unrestricted in the context of a target Java process such as a web browser application. An attacker could then install programs, view, change, or delete data with the privileges of a logged-on user.

What security advice do you have for the one billion Java users at risk?

Gowdiak: Taking into account the risk posed by the bug uncovered, it is the best to disable Java Plugin in the web browser and wait for the patches from Oracle. There are still 3 weeks till the scheduled Java Oct CPU [Critical Patch Update], so it might be possible that the bug will be addressed by the company on 16 Oct 2012.

To recap, this Java bug is even worse than the last critical Java vulnerability. It puts one billion users of Oracle's Java SE, Java 5, 6 and 7, at risk. It could be exploited using these browsers: Chrome, Firefox, Internet Explorer, Opera and Safari. If you visit a maliciously crafted website, attackers could gain total control of your PC. Wow, thanks a lot Oracle.


Previous Page  1  2 

Sign up for CIO Asia eNewsletters.