I saw that this week, interesting explanation of the exploit : http://www.kb.cert.org/vuls/id/636312
Oracle Java 1.7 provides an execute()<http://docs.oracle.com/javase/1.4.2/docs/api/java/beans/Statement.html#execute%28%29>method for Expression<http://docs.oracle.com/javase/1.4.2/docs/api/java/beans/Expression.html>objects, which can use reflection to bypass restrictions to the sun.awt.SunToolkit getField()<http://docs.oracle.com/javase/1.4.2/docs/api/java/lang/Class.html#getField%28java.lang.String%29>function, which operates inside of a doPrivileged<http://docs.oracle.com/javase/1.4.2/docs/api/java/security/AccessController.html#doPrivileged%28java.security.PrivilegedAction%29>block. The getField() function also uses the reflection method setAccessible()<http://docs.oracle.com/javase/1.5.0/docs/api/java/lang/reflect/AccessibleObject.html#setAccessible%28java.lang.reflect.AccessibleObject%5B%5D,%20boolean%29>to make the field accessible, even if it were protected or private. By leveraging the public, privileged getField() function, an untrusted Java applet can escalate its privileges by calling the the setSecurityManager()<http://docs.oracle.com/javase/1.5.0/docs/api/java/lang/System.html#setSecurityManager%28java.lang.SecurityManager%29>function to allow full privileges, without requiring code signing. Both the Oracle JRE 1.7 and the OpenJDK JRE 1.7 are affected. 2012/8/31 Ramsey Gurley <[email protected]> > Just a heads up... > > http://www.us-cert.gov/cas/techalerts/TA12-240A.html > > Ramsey > _______________________________________________ > Do not post admin requests to the list. They will be ignored. > Webobjects-dev mailing list ([email protected]) > Help/Unsubscribe/Update your Subscription: > > https://lists.apple.com/mailman/options/webobjects-dev/alexis.tual%40gmail.com > > This email sent to [email protected] >
_______________________________________________ Do not post admin requests to the list. They will be ignored. Webobjects-dev mailing list ([email protected]) Help/Unsubscribe/Update your Subscription: https://lists.apple.com/mailman/options/webobjects-dev/archive%40mail-archive.com This email sent to [email protected]
