Update JAVA or get pwned – Sun Releases Emergency Java Patch

ALL YOUR BROWSERS ARE BELONG TO US

Nice one with my morning coffee: Sun Releases Emergency Java Patch

A week ago, Oracle claimed the vulnerability that had been discovered in Java was not a big deal at all. Apparently, they’ve changed their minds on that.

Yesterday afternoon, Oracle pushed an update to Java that fixes a vulnerability that exposed Windows users to drive-by attacks. While Sun had claimed that the issue wasn’t serious enough for them to release a patch prior to the next scheduled version’s release, once Google’s Travis Ormandy released details of how the attack could be used, Sun relented and released a fix.

The vulnerability was independently discovered by Ruben Sanamarta as well, and occurs because ofthe Java-Plugin Browser which runs “javaws.exe” withough validating command-line parameters.

The new version, Sun Java 1.6.0_20 is available at the Java web site, or you can wait until it’s automatically pushed to you version.  Which will happen within 30 days.  Which you probably shouldn’t wait for.

You can also read the full release notes on Oracle’s site.

Don’t walk, run to update your Java… This affects ALL YOUR BROWSERS.

Personally after getting pwned two weeks ago I’m running all browsers inside Sandboxie – See here for other ideas.

ALL YOUR BROWSERS ARE BELONG TO US