Monday, July 27, 2009

Java security bugs revisited

A couple of weeks back, I heard that Sun's probably releasing new updates at the end of July, so it might be a good time to update my bug fix table.

Let's see if they've gotten around to look at some of these issues, as well. I'm obviously very biased here and think all vulnerabilities I've found are important and should be very promptly fixed, but the anniversaries of some these bugs are already around the corner.

* and counting (calculated as of July 27th, 2009)
** a more generic deserialization issue fixed on March 24th, 2009

Reported Status Fixed Days Open
FileSystemView allows read access to file system structure May 11th, 2008 Fixed Dec 2nd, 2008 204
Read access to System Properties Aug 18th, 2008 Not Fixed N/A 342*
Calendar.readObject allows elevation of privileges Aug 1st, 2008 Fixed Dec 2nd, 2008** 122
Undisclosed vectors allow elevation of privileges Oct 19th, 2008 Not Fixed N/A 280*
Undisclosed vectors allow directory listing and file renaming/moving Oct 26th, 2008 Not Fixed N/A 273*
Generic security architecture problem Nov 2nd, 2008 Not Fixed N/A 266*
Undisclosed vectors allow folder creation Oct 20th 2008 Not Fixed N/A 279*

No comments: