A flaw exist in Java 'performSSVValidation' method that if combined with JNLP will allow to launch an unsigned Java applet bypassing Security Warning pop-up window. There is undocumented parameter the flawed method accepts and if set to 'true' will instruct Java not to perform applet's signature check.
Sample of specially crafted JNLP file:
<resources> tag contains the name of the JAR file to launch followed by 'applet-desc' pointing at the class file to start the execution with. Setting parameter '__applet_ssv_validated' to 'true' allows for Security Warning window bypass.
This flaw is fixed with Java 1.7.21 update.
External sources:
http://immunityproducts.blogspot.com/2013/04/yet-another-java-security-warning-bypass.html
http://security-obscurity.blogspot.no/2013/04/the-latest-java-exploit-with-security.html
No comments:
Post a Comment