It fixes several security issues, seven of which were found by me in May.
There will be some post on this blog describing the issues and an impact analysis.
In particular the issues are in order of impact the following:
- Information Disclosure:
- 17364779 NETWORKINTERFACE HASHCODE PROBLEM
- 17322679 JAVA APPLET DNS IP DISCLOSURE
- User Assisted Arbitrary Execution:
- 17322757 ZERO TERMINATOR ALLOWS JNLP SHORTCUTS
- 17322755 NEW LINES IN JNLP TITLE ARE COPIED INTO LNK FILES
- Network and WEB Attacks:
20th Apr - 6 May 2010: Advisories sent to Oracle
25th June 2010: Oracle Confirms all issues
12 Oct 2010: Java update 22 released which fixes 7 out of 10 issues.
11-20 Oct 2010: Minded Security Advisories publicly disclosed.
Credits:
All the issues were found by Stefano Di Paola of Minded Security
Hi,
ReplyDeletethe issues you disclosed are really the result of some great work! My biggest respect for this.
But now I have a problem. I have an applet which determines the MAC addresses of users and sends the results via javascript xmlhttp calls to a server side script for analysis. This applet does not work anymore, because of the update oracle released.
Is there still a way, you know, I am able to get the MAC addresses of the users via the applet method? The applet was really important to my company's network security, so I would be really, really glad if you had a solution for us.
Thank you in advance.