One of those features-turned-bugs situation (ala the recent one in pdf) : http://seclists.org/fulldisclosure/2010/Apr/119
It's incredible that Oracle (that looks funny to my eyes when talking about Java) doesn't think it's a big enough issue to put out an out-of-band patch. http://www.pcworld.com/businesscenter/article/193946/nifty_java_bug_could_lead_to_attack.html It's also incredible that people don't think JRE attacks are part of standard browser exploit toolkits... "Java has not been exploited to any extent that should worry the average consumer, heck, or business for that matter," he said via instant message." Tavis's PoC: http://lock.cmpxchg8b.com/bb5eafbc6c6e67e11c4afc88b4e1dd22/testcase.html Alex _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
