CVE-2011-3441
CVE-2011-3246
A series of regex-writing challenges.
A series of XSS challenges: here's some unsafe code; exploit it! Shortest code wins.

My CSS-fu is weak; please use a recent browser.

Some rights reserved.

Random, semi-related image by Nathan Rein.

Unofficial Java Vulnerability Fix

A patch for a serious Java bug. No longer needed as of June 16.

What is this?

As of June 16, Apple have finally released an official patch, so this one is no longer needed.

The current publicly available version of Java for Mac OS X has a bug which allows any web page you visit to remotely (and silently) install software on your machine.

This has been exploited by such unscrupulous people as me, for the multitouch demo. Luckily there haven't been any reports of malicious exploits yet (as far as I know). It would be almost trivial to use this to install malware.

This page gains access using that security hole, then patches the bug so it can't be exploited again. Scroll down the page and click the 'Start' button.

Technical details

The vulnerability is CVE-2008-5353. An official fix is available, but only with the latest Java beta and only for registered ADC members. For this criticial a vulnerability, that's just not good enough.

The bytecode for Calendar.readObject() is patched (using the wonderful ASM library) to replace the single call to AccessController.runPrivileged with a version which provides only the required privileges (access to sun.util.calendar) rather than full system access.

Replacing the jar file at...

/System/Library/Frameworks/JavaVM.framework/Versions/*/Classes/classes.jar

... requires administrator access, so a small C stub is used to call AuthorizationExecuteWithPrivileges. You will be required to authenticate with an administrator password.

The original classes.jar file will be left in /tmp as a backup.

The patch will be overwritten when the official patch from Apple is finally released.

The applet

Again, this is no longer needed if you have run Software Update since June 16, so I have taken it down

Comments