Sun Pushes Emergency Java Patch 90
Trailrunner7 writes "In a sudden about-face, Sun has rushed out a Java update to fix a drive-by download vulnerability that exposed Windows users to in-the-wild malware attacks. The patch comes less than a week after Sun told a Google researcher it did not consider the issue serious enough to warrant an out-of-cycle patch and less than a day after researchers spotted live exploits on a booby-trapped Web site. The flaw, which was also discovered independently by Ruben Santamarta, occurs because the Java-Plugin Browser is running 'javaws.exe' without validating command-line parameters. Despite the absence of documentation, a researcher was about to figure out that Sun removed the code to run javaws.exe from the Java plugin. The about-face by Sun is another sign that some big vendors still struggle to understand the importance of working closely with white hat researchers to understand the implications of certain vulnerabilities. In this case, Google's Tavis Ormandy was forced to use the full-disclosure weapon to force the vendor into a proper response."
Does it bypass UAC? (Score:2, Interesting)
I was affected (Score:2, Interesting)
I was actually hit by one of these "drive by downloads" within firefox via java 5-6 weeks ago. Browsing porn, opened a tab to a video, the browser suddenly got sluggish like crazy. Task manager showed java executable running at near 100% cpu. The processes were so locked up that an attempt to kill either the java process or firefox just wasn't doing anything. I have Avast for anti-virus, and it wasn't complaining about any virus - until the exact moment I clicked to reboot the machine. At that instant, Avast popped up a virus alert, but it was too late - I guess the reboot process shut down the Avast service/process *before* the browser. Immediately after a reboot I discovered I was, for the first time in my life, rootkitted. It took 2 rounds of Malwarebytes' Anti-Malware [malwarebytes.org] and a windows-xp-recovery execution of `fixmbr` to completely eradicate.
I would *not* have java installed (at least not for browsers) to begin with if not for the fact that the Canada Revnue Agency's website *requires* java just to login to one's government account. Ridiculous.
Which toolbar does this patch? (Score:3, Interesting)