The vulnerability is due to Java Development Kit on the parameters caused by insufficient validation. According to Ormandy's interpretation, Java was originally through the Java Web Start (JWS) for Java developers by allowing users to access the Java Web URL implementation of the Agreement (. Jnlp) to implement and install the application, but since the tenth Java 6 update edition, provides the Java Development Kit (Java Deployment Toolkit, JDT) to simplify the application developers to spread the program.
JDT's role is to the received URL string passed to the JWS registration procedures, but the Ormandy discovered, JDT provides only the most basic parameters authentication URL, causing him to pass any parameters to the JWS in, but also by command line argument (command-line arguments) to exercise the full functionality of JWS to make the error a vulnerability that can be attacked.
Ormandy said, as long as Java SE 6 update 10 and later versions support all Microsoft windows affected by the vulnerability, close the Java plug-in functionality and could not avoid the attack, because the JDT as an independent installation package. Ormandy believe that non-Windows version can be spared.
However, Qualys CTO Wolfgang Kandek said that the vulnerability allows hackers to execute remote target computer program, and the user need only visit a single web page could trigger attacks.
Ormandy said relevant departments have been informed of the vulnerability exists, but the response is not important to the vulnerability in addition to quarterly updates to provide emergency updates. Ormandy recommend that users patch the loophole was closed before the relevant control tools.