brought to you by Oracle Corp.
...of Browser-based Java.
I would have expected Larry to personally direct someone to fix this issue UNTIL NEXT MORNING 10:00.
Apparently the fix is clear - validate the input to the web start *.jar downloading mechanism. They could have added a config file that allows you to enable the old mechanism for selected source hosts, to be 100% sure end users can re-enable legacy apps.
As Oracle apparently has much more important priorites, I suggest they just throw away all the client-side java stuff. Users will disable it anyhow, now. Or not install Java after being hacked and having had to reinstall their PC.
I just removed Java for good from my machine.
"They introduced Web Start in Java 1.4, they updated it in 6u10. The question becomes, does this mean users of Java 5 are safe?"
Correct about initial release of JWS. The issue with 6u10, which introduced this "vulnerability by design" was that they made JWS more directly accessible, via the "Deployment Toolkit" ActiveX control (for IE) and the equivalent NPAPI plugin for (most) other browsers. This current exploit depends on the 6u10+ "improvement" in JWS functionality.
First Oracle did not display a determination to fix the bug immediately. And according to some reports, it does NOT fix the issue:
"Das Java-Update führt offenbar nicht in allen Fällen dazu, dass der bekannte Exploit nicht mehr funktioniert. Die Ursache ist derzeit unklar. Alternativ hilft es weiterhin, beim Internet Explorer das Killbit für das verantwortliche ActiveX-Control zu setzen, beispielsweise indem man folgenden Text in der Datei kill.reg speichert und die Datei dann doppelklickt:"
English: ..Apparently the fix does not always work...disable plugin with killbit....
Biting the hand that feeds IT © 1998–2022