On Sun, Sep 9, 2012 at 5:09 PM, John F. Eldredge <[email protected]> wrote: > Do any of these exploits affect Android, since it is Java-based, or are they > only on the standard Java VM?
I can't find any evidence of that when searching Android code repos for CVE-2012-4681. But Google doesn't "commit" Android code so much as they just "dump" it whenever they feel like it.. so maybe it's yet to appear. Didn't find anything at Cyanogenmod either. Oracle javac is only used in the initial compilation before using dx to recompile the resulting .class files into a single .dex file. Android runtime is not Oracle JRE, it's Google Dalvik. Here's an easy to follow breakdown of the exploit: http://labs.alienvault.com/labs/index.php/2012/new-java-0day-exploited-in-the-wild/ There's a YouTube video of a guy controlling a local Ubuntu instance with the Metasploit module. -- Greg Donald -- You received this message because you are subscribed to the Google Groups "NLUG" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/nlug-talk?hl=en
