Wednesday, August 10, 2011

0-day already out to exploit yesterday’s IE bugs

If it wasn’t already known to Microsoft, I can confirm first hand that today I downloaded and played with available 0-day to exploit Internet seccenter-iconExplorer bugs in the wild. Microsoft has just released the patches to fix these exploits, but I was surprised to see that the exploits are available free for the world to use.

The exploits basically allows remote code execution from a website once visited through Internet Explorer. Once such a malicious page is visited, the hacker is able to take control of the machine and perform administrative operations, including but not limited to adding backdoors, steal information or make hacked computers act as bot to mass attack servers.

I will not disclose where the code is available to play with, but it is surely a warning for all Windows users to update their installation with the patches released yesterday. It is not just about your information, but your computers could be used to launch other attacks,

Details of the patches can be found here and here. Microsoft releases security patches on Tuesdays, but critical patches should be released asap!!

Monday, August 8, 2011

Maven dependency for tools.jar in JDK7

Although it has been known for sometime now that JDK7 will bring the change to vendor properties name change from “Sun Microsystems Inc.” to “Oracle Corporation”, I thought it would serve as a good reminder since Java 7 final was just released.

If you have a maven project that uses tools.jar and adds that as a dependency to the project as follows:

...
<profiles>
<profile>
<id>default-tools.jar</id>
<activation>
<property>
<name>java.vendor</name>
<value>Sun Microsystems Inc.</value>
</property>
</activation>
<dependencies>
<dependency>
<groupId>com.sun</groupId>
<artifactId>tools</artifactId>
<version>1.4.2</version>
<scope>system</scope>
<systemPath>${java.home}/../lib/tools.jar</systemPath>
</dependency>
</dependencies>
</profile>
</profiles>
...

For making this work with JDK 7, you have to change the java.vendor value to Oracle Corporation like this:

...
<profiles>
<profile>
<id>default-tools.jar</id>
<activation>
<property>
<name>java.vendor</name>
<value>Oracle Corporation</value>
</property>
</activation>
<dependencies>
<dependency>
<groupId>com.sun</groupId>
<artifactId>tools</artifactId>
<version>1.4.2</version>
<scope>system</scope>
<systemPath>${java.home}/../lib/tools.jar</systemPath>
</dependency>
</dependencies>
</profile>
</profiles>
...