There is a known security exploit for JRE 6u13 which allows the remote execution of code. This could have been used to access old versions of the JRE.<br><br><a href="http://www.milw0rm.com/exploits/8665">http://www.milw0rm.com/exploits/8665</a><br clear="all">
<br>- Brian<br>
<br><br><div class="gmail_quote">On Sat, Jun 6, 2009 at 12:48 PM, Kristian Erik Hermansen <span dir="ltr"><<a href="mailto:kristian.hermansen@gmail.com">kristian.hermansen@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Hello!<br>
<br>
I am currently researching methods that allow a malicious website to<br>
load previously installed Java runtime environments. A common issue<br>
is that even after updating Sun's JRE (on Windows), most users do not<br>
remove the older versions, which is a potential vector for abuse. We<br>
logged one of our internal employees getting hijacked in this way,<br>
even though they had (and we confirmed using the logs) the latest Sun<br>
JRE 6u13. However, using methods I will not detail just yet, the<br>
website was able to convince the browser to load JRE 6u5, which has a<br>
myriad of known security issues. The website in question attempted to<br>
load all previous JRE versions (starting at the oldest<br>
chronologically), in a brute force manner, until one that was<br>
installed was enumerated and exploited.<br>
<br>
If you have done any research in this area, or know of anyone who can<br>
point to technical documents that might expose other related attack<br>
vectors, please do let me know. Or we could have a discussion here in<br>
this thread if others are interested in how this website was able to<br>
do this. However, I want to save the specific details for a tech<br>
paper/conference since I have never heard of anyone doing this before<br>
and it might be 0day. We have never seen it in our environment and we<br>
process many terabytes of log data per month...<br>
<br>
Cheers,<br>
<font color="#888888">--<br>
Kristian Erik Hermansen<br>
_______________________________________________<br>
Noisebridge-discuss mailing list<br>
<a href="mailto:Noisebridge-discuss@lists.noisebridge.net">Noisebridge-discuss@lists.noisebridge.net</a><br>
<a href="https://www.noisebridge.net/mailman/listinfo/noisebridge-discuss" target="_blank">https://www.noisebridge.net/mailman/listinfo/noisebridge-discuss</a><br>
</font></blockquote></div><br>