Lucene search

K
zdiBen MurphyZDI-13-042
HistoryMar 22, 2013 - 12:00 a.m.

Oracle Java setUncaughtExceptionHandler Security Manager Bypass Remote Code Execution Vulnerability

2013-03-2200:00:00
Ben Murphy
www.zerodayinitiative.com
11

EPSS

0.043

Percentile

92.3%

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Oracle Java. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within java.lang.Thread’s setUncaughtExceptionHandler method allowing for a callback to be run with using the JDK’s access control context. This allows a malicious applet to execute attacker supplied code resulting in remote code execution under the context of the process.