Java is fun!

[Dave Aitel <dave () kof immunityinc com>]

So here are a couple of blog posts about a great bug that has been used to
great effect and is in a CANVAS installation near you!

http://blog.cr0.org/2009/05/write-once-own-everyone.html
http://landonf.bikemonkey.org/code/macosx/CVE-2008-5353.20090519.html

Basically, you get to execute Java code as the user if they visit your web
page and have Java turned on. This is default in Fedora, for example, and
Bas handily owned my laptop with it. In CANVAS you don't execute commands so
much as get a JavaNode connectback (which is somewhat similar to MOSDEF).

Anyways, it's one of my favorite updates to CANVAS recently. Go Julian and
his wacky ReplaceObject() tricks! :>

-dave

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave