JAX London 2014: A retrospective
Security Vulnerability

Java Development Toolkit Bug

Jessica Thornsby

The Java Deployment Toolkit has a bug that causes it to perform insufficient validation of parameters, according to Tavis Ormandy.

Java Web Start provides developers with a way for users to launch and install their applications using a URL to a Java Networking Protocol. However, Ormandy claims the toolkit provides only minimal validation of the URL parameter , which would allow the passing of arbitrary parameters to the Java Web Start utility. He claims this provides enough functionality to allow the error to be exploited.

“The simplicity with which this error can be discovered has convinced me that releasing this document is in the best interest of everyone except the vendor,” he writes.

All versions since Java SE 6 update 10 for Microsoft Windows are believed to be affected. A full run-through of this vulnerability, is available at Full Disclosure.

Author
Comments
comments powered by Disqus