I made a mistake in my Advisory #10 - Scripting of Java applets does not
stop neither a little modification of my exploit nor execution of Active
Scripting if it is disabled.
Before writing my advisory I tested one time an exploit with Scripitng
of Java Applets disabled and it did stop the exploit - obviously I have
made a mistake and missed something or there is some strange timing
issue with Internet Explorer. Now the same exploit works fine.
Thanks to Mr. TAKAGI for letting me know.
So the only solution to stop the exploit and execution of Active
Scripting is to disable Java.
"TAKAGI, Hiromitsu" wrote:
>
> > Note: This is NOT a bug in the Java language, this is a bug in
> > Microsoft's implementation of Java in IE.
>
> It is not a bug in implementation of "Java". The class JSObject that
> is the magic code of the vulnerability is not included in the
> standard Java API and is included in the package netscape.javascript
> that is an extension library provided by Netscape or Microsoft. So,
> it sounds better to say, "This is NOT a bug of Java, this is a bug
> in Microsoft's implementation of the extension Java package for
> JavaScript".
>
I am not a Java expert and shall not argue about that. Hope the readers
understand my point.
> > If you have Java enabled and Scripting of Java applets enabled, Active
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> > Scripting may be executed.
>
> > So, to really disable Active Scripting disable Active Scripting and
> > disable Java and/or Scripting of Java applets.
> ^^
> > Workaround: Disable Java or disable Scripting of Java applets
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> Disabling "Scripting of Java applets" seems to have no relation with the
> vulnerability. Your exploit code can be refined as the following code
> which does not use the function "Scripting of Java applets". This
> modified version of Guninski's demo is available here.
> http://java-house.etl.go.jp/~takagi/java/test/Guninski-jsinject-modified/
> I confirmed that it is still vulnerable under disabling "Scripting of
> Java applets".
>
This is correct.
Regards,
Georgi Guninski
