Sunday, April 12, 2009

Timeline of Sun Microsystems fixing Java security bugs

List of Java applet security related bugs I've reported to Sun, and the number of days between my report and the fix.

* and counting (calculated as of Abril 27th, 2009)
** a more generic deserialization issue fixed on March 24th, 2009

Reported Status Fixed Days Open
FileSystemView allows read access to file system structure May 11th, 2008 Fixed Dec 2nd, 2008 204
Read access to System Properties Aug 18th, 2008 Not Fixed N/A 251*
Calendar.readObject allows elevation of privileges Aug 1st, 2008 Fixed Dec 2nd, 2008** 122
Undisclosed vectors allow elevation of privileges Oct 19th, 2008 Not Fixed N/A 189*
Undisclosed vectors allow directory listing and file renaming/moving Oct 26th, 2008 Not Fixed N/A 182*
Generic security architecture problem Nov 2nd, 2008 Not Fixed N/A 175*
Undisclosed vectors allow folder creation Oct 20th 2008 Not Fixed N/A 188*

No comments: