菁英科技於近日發現多個 Java 的弱點,包括處理 ICC Color Profiles 之程式碼的 Buffer Overflow 弱點與存在於 Java webstart 的指令注入弱點 ( command injection vulnerability )。
漏洞起因於 Java virtual machine 未能對使用者提供的 buffer size 與指令做適當的處理,造成駭客可透過攻擊該弱點於受害電腦中執行任意惡意程式碼。
Oracle 於發布對應修補程式,請使用者儘速進行更新。
菁英科技於近日發現多個 Java 的弱點,包括處理 ICC Color Profiles 之程式碼的 Buffer Overflow 弱點與存在於 Java webstart 的指令注入弱點 ( command injection vulnerability )。
漏洞起因於 Java virtual machine 未能對使用者提供的 buffer size 與指令做適當的處理,造成駭客可透過攻擊該弱點於受害電腦中執行任意惡意程式碼。
Oracle 於發布對應修補程式,請使用者儘速進行更新。
[影響版本] Oracle Java JDK and JRE 6 Update 25 以前版本 Oracle Java JDK 5.0 Update 29 以前版本 Oracle Java SDK 1.4.2_31 以前版本
[Reference]
Vendor Site
Oracle Patch Update Advisory
Zero Day Initiative Advisories
- http://www.zerodayinitiative.com/advisories/ZDI-11-182
- http://www.zerodayinitiative.com/advisories/ZDI-11-183
- http://www.zerodayinitiative.com/advisories/ZDI-11-184
- http://www.zerodayinitiative.com/advisories/ZDI-11-185
- http://www.zerodayinitiative.com/advisories/ZDI-11-186
- http://www.zerodayinitiative.com/advisories/ZDI-11-187
- http://www.zerodayinitiative.com/advisories/ZDI-11-188
- http://www.zerodayinitiative.com/advisories/ZDI-11-189
- http://www.zerodayinitiative.com/advisories/ZDI-11-190
- http://www.zerodayinitiative.com/advisories/ZDI-11-191
- http://www.zerodayinitiative.com/advisories/ZDI-11-129
SecurityFocus BugTraq IDs
- http://www.securityfocus.com/bid/48133
- http://www.securityfocus.com/bid/48134
- http://www.securityfocus.com/bid/48135
- http://www.securityfocus.com/bid/48136
- http://www.securityfocus.com/bid/48137
- http://www.securityfocus.com/bid/48138
- http://www.securityfocus.com/bid/48139
- http://www.securityfocus.com/bid/48140
- http://www.securityfocus.com/bid/48141
- http://www.securityfocus.com/bid/48142
- http://www.securityfocus.com/bid/48143
- http://www.securityfocus.com/bid/48144
- http://www.securityfocus.com/bid/48145
- http://www.securityfocus.com/bid/48146
- http://www.securityfocus.com/bid/48147
- http://www.securityfocus.com/bid/48148
- http://www.securityfocus.com/bid/48149