Today Tavis Ormandy published a 0-day vulnerability in Java. His post provides exploit information and a link to a webpage demonstrating the launch of calc.exe on WIndows. The vulnerability allows an attacker to execute remote code on the target machine and can be triggered by a user visiting a simple webpage. It is located in the Java Web Start component and is present on Java running on Windows Operating Systems. There is no patch or official work-around yet, but Tavis provides suggestions on how users can configure their system to defend themselves.
Rubén Santamarta provides additional technical information on the vulnerability and points out that Java on Linux is affected as well.
Our vulnerability research team has confirmed the existence of the vulnerability on Windows and we are releasing a detection under QID 117772 in QualysGuard. We will track the development around this vulnerability and keep you posted.
- Summary by Dennis Fisher at ThreatPost