Oracle Java Applet2ClassLoader Vulnerability

Added: 05/05/2011
CVE: CVE-2010-4452
BID: 46388
OSVDB: 71193

Background

Java is a programming language that compiles programs to bytecode, which is then executed inside a Java Virtual Machine. This is optimal for applications that must run on various hardware platforms, such as web applets.

Problem

Java 6 Update 23 and before are vulnerable to an unsigned code execution vulnerability. This may allow an attacker to trick a user into viewing a website with a malicious embedded Java applet.

Resolution

Upgrade to Oracle JRE 6 Update 25 or later.

References

http://www.oracle.com/technetwork/topics/security/javacpufeb2011-304611.html
http://fhoguin.com/2011/03/oracle-java-unsigned-applet-applet2classloader-remote-code-execution-vulnerability-zdi-11-084-explained/
http://www.zerodayinitiative.com/advisories/ZDI-11-084/

Limitations

This exploit has been tested against Oracle JRE 6 Update 23 on Windows XP SP3 English (DEP OptIn), Windows Vista SP2 English (DEP OptIn) and Windows 7 SP1 English (DEP OptIn).

Platforms

Windows

Back to exploit index