[Noisebridge-discuss] hijacking old java runtime environments

Kristian Erik Hermansen kristian.hermansen at gmail.com
Sat Jun 6 19:48:27 UTC 2009


I am currently researching methods that allow a malicious website to
load previously installed Java runtime environments.  A common issue
is that even after updating Sun's JRE (on Windows), most users do not
remove the older versions, which is a potential vector for abuse.  We
logged one of our internal employees getting hijacked in this way,
even though they had (and we confirmed using the logs) the latest Sun
JRE 6u13.  However, using methods I will not detail just yet, the
website was able to convince the browser to load JRE 6u5, which has a
myriad of known security issues.  The website in question attempted to
load all previous JRE versions (starting at the oldest
chronologically), in a brute force manner, until one that was
installed was enumerated and exploited.

If you have done any research in this area, or know of anyone who can
point to technical documents that might expose other related attack
vectors, please do let me know.  Or we could have a discussion here in
this thread if others are interested in how this website was able to
do this.  However, I want to save the specific details for a tech
paper/conference since I have never heard of anyone doing this before
and it might be 0day.  We have never seen it in our environment and we
process many terabytes of log data per month...

Kristian Erik Hermansen

More information about the Noisebridge-discuss mailing list