$5,000 will buy you access to another, new critical Java vulnerability (Updated)

Posted by BernardSwiss on Jan 17, 2013 4:51 PM EDT
Ars Technica; By Dan Goodin
Mail this story
Print this story

An exploit for yet another critical Java software vulnerability began circulating online amid reports that the patch Oracle issued two days ago is incomplete.

"Based on our analysis, we have confirmed that the fix for CVE-2013-0422 is incomplete," Trend Vulnerability Research Manager Pawan Kinger wrote in a blog post. Kinger went on to explain that the vulnerability stemmed from flaws in two parts of the Java code base: one involving the findclass method and the other involving the invokeWithArguments() method. While Sunday's patch fixed the latter issue, the findclass method can still be used to get references to restricted classes, leaving a hole that attackers can exploit.

Full Story

» Read more about: Story Type: News Story, Security; Groups: Oracle

« Return to the newswire homepage

This topic does not have any threads posted yet!

You cannot post until you login.