I bet this exploit fails on win-98 systems.
I have 1.6.0_30 (Java 6 Update 30) installed on this win-98 system of
mine. If anyone can point me to the PoC code mentioned below, I'll try
it on and post my results...
==================================
http://www.eweek.com/security/new-java-vulnerability-allows-sandbox-bypass-security-firm-says.html
Researchers at Security Explorations have uncovered a new critical
zero-day flaw affecting all-supported versions of Oracle Java.
The bug discovery was announced Tuesday on the Full Disclosure security
mailing list, though technical details of the vulnerability remain under
wraps. According to Security Explorations CEO Adam Gowdiak however, the
flaw impacts Java Standard Edition versions 5, 6 and 7 and can be used
to break out of the Java sandbox.
"The issue is tricky to find," he said. "Same for the exploit code to
develop. It would be fair to say that both were of a moderate
difficulty."
The researchers say they confirmed the bug on the Firefox, Google
Chrome, Internet Explorer, Opera and Apple Safari browsers. Oracle has
confirmed the flaw’s existence and stated that it will be addressed in a
future Java critical patch update, according to Gowdiak
The prevalence of Java has made it a common target for hackers,
prompting some in the security community to call for organizations to
disable the technology if it is not needed. Exploits for Java bugs have
become staples of attack kits such as Black Hole and others. There is
little danger of that in this case, however, since the bug was disclosed
privately, said Marcus Carey, security researcher at Rapid7.
“There are tons of privately reported bugs for software, which makes it
a bit strange that this is generating the amount of buzz that it is," he
said. "Organizations and consumer should always treat Java and other
plug-ins as if there are zero-day exploits out there targeting them,
even when we don’t know of any specific ones being used."
To reduce risk, he recommended that users only install plug-ins when
needed and disable or uninstall them if they are unnecessary.
" If you have to enable dynamic content that requires plug-ins, only do
so from trusted sites, as others could very well be compromised," he
added.
"If there isn’t a reasonable use case for someone to have Java
installed, then they can certainly consider removing it altogether,"
Satnam Narang, security response manager at Symantec, said in an
interview Aug. 30. "However, if there is a use case for having it
installed, it’s simply best to ensure that it is patched and kept
up-to-date. If there is an exploit in the wild and no patch is currently
available, users should disable Java until a patch is made available."
Due to the number of people running Java, the potential impact of the
bug could affect a large number of desktops, Gowdiak said. The severity
of the issue is also critical because of the implications of a full Java
security sandbox bypass.
"What this means is that a malicious Java applet or application
exploiting the vulnerability could run unrestricted in the context of a
target Java process such as a web browser application," he explained.
"An attacker could then install programs, view, change, or delete data
with the privileges of a logged-on user. In our proof of concept code we
create a file and execute "notepad.exe" application on Windows."