Lists

Terms and Conditions
Lists hosted on this site
Email the Postmaster
Tips for posting to public mailing lists

Re: JDK7 vulnerability

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: JDK7 vulnerability

Subject: Re: JDK7 vulnerability
From: Alexis Tual <email@hidden>
Date: Fri, 31 Aug 2012 10:15:58 +1100

I saw that this week, interesting explanation of the exploit :

http://www.kb.cert.org/vuls/id/636312

Oracle Java 1.7 provides an execute() method for _expression_ objects, which can use reflection to bypass restrictions to the sun.awt.SunToolkit getField() function, which operates inside of a doPrivileged block. The getField() function also uses the reflection method setAccessible() to make the field accessible, even if it were protected or private.

By leveraging the public, privileged getField() function, an untrusted Java applet can escalate its privileges by calling the the setSecurityManager() function to allow full privileges, without requiring code signing. Both the Oracle JRE 1.7 and the OpenJDK JRE 1.7 are affected.

2012/8/31 Ramsey Gurley <email@hidden>

Just a heads up...

http://www.us-cert.gov/cas/techalerts/TA12-240A.html

Ramsey
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden

 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden

References:
	>JDK7 vulnerability (From: Ramsey Gurley <email@hidden>)

Prev by Date: Re: JDK7 vulnerability
Next by Date: Re: JDK7 vulnerability
Previous by thread: Re: JDK7 vulnerability
Next by thread: Question about ERPDFWrapper
Index(es):
- Date
- Thread