[Info-vax] Java JVM Security Bypasses (Re: [OT] Wirth style languages, was: Re: Obscure Ada compiler vendors?)
Paul Sture
nospam at sture.ch
Fri Apr 5 15:08:57 EDT 2013
In article <kjmq3e$2f9$1 at dont-email.me>,
Stephen Hoffman <seaohveh at hoffmanlabs.invalid> wrote:
> On 2013-04-05 14:40:15 +0000, Paul Sture said:
>
> > The Java vulnerabilities of late have been to do with the Java browser
> > plugin rather than its server side.
>
> The vulnerabilities have existed in the JVM, and all have involved JVM
> sandbox bypasses.
>
> (Not escaping the sandbox being not particularly useful to attackers,
> after all.)
>
> The Java web start plugin allows attackers remote access into the JVM,
> though another scripting path was also recently closed.
There was this from mid-March:
"Apple purges OS X flaw that let Java apps run when plugin was disabled"
<http://arstechnica.com/security/2013/03/apple-purges-os-x-flaw-that-let-
java-apps-run-when-plugin-was-disabled/>
> > Has anyone else here been monitoring Java server vulnerabilities?
>
> The JVM vulnerabilities have been somewhat hard to miss on the security
> lists, and locally with the Apple Xprotect black-listing.
>
> Brian Krebs has provided good reading on this and related topic areas:
> <http://krebsonsecurity.com>
Thanks.
--
Paul Sture
More information about the Info-vax
mailing list