Crazy Java 0-Day Shenanigans
2012-08-27
There is a crazy Java exploit in the wild. It seems like Microsoft Security Essentials detects it as cve-2012-1723. Some report it is patched. As of right now, there is code that still is detected by AVs as such, but it still works in the latest JREs. There is code out there, the security manager is completely bypassed. You can launch random executables, or do whatever you want. I just compiled the code and tested it with some friends, was able to launch calc.exe on a PC, xterm on a mac, copy contents from the clipboard, you name it. Anything a full java application can do, an applet can do with this exploit. Google java 0 day for more info. I would recommend turning off your Java plugin. I tested it on a Mac, JRE build 1.7.0_08-ea-b04, both the latest Safari and Firefox. Works. Works on PCs as well running Java 1.7. Thus far I haven't been able to actually launch executables or do bad things on Java 1.6, only 1.7. I recommend disabling your Java plugin! Srsly. End PSA :') As a side note. I REALLY need to write an admin interface for this site. Inserting this garbage into sqlite3 is annoying.