Nifty Java bug could lead to attack

10.04.2010
A Google researcher has published details of a Java virtual machine bug that could be used to run unauthorized programs on a computer.

The attack was Friday by Google's Tavis Ormandy, who said he had notified Oracle's Sun team about the flaw earlier. "They informed me that they do not consider this vulnerability to be of high enough priority to break their quarterly patch cycle," Ormandy wrote. "I did not agree."

Oracle declined to comment on the issue. The company just released a last week and its next set of patches is due in July.

The could give hackers a way to run unauthorized Java programs on a victim's machine. They can do this because Java allows developers to tell the Java virtual machine to install alternate Java libraries. By creating a malicious library and then telling the JVM to install it, an attacker could run his malicious program.

Oracle is making a mistake, not patching the bug immediately, said Marc Maiffret, chief security architect with FireEye, via instant message.

The bug is particularly nasty because it's due to a design flaw in Java, rather than the type of programming error that would lead to a more common buffer-overflow attack. "It is a neat bug," he said.