Fwd: [Dailydave] Java is fun!

Begin forwarded message:

From: Dave Aitel Date: May 20, 2009 4:39:57 AM GMT-04:00 To: dailydave@lists.immunitysec.com Subject: [Dailydave] Java is fun!

So here are a couple of blog posts about a great bug that has been used to great effect and is in a CANVAS installation near you!

http://blog.cr0.org/2009/05/write-once-own-everyone.html http://landonf.bikemonkey.org/code/macosx/CVE-2008-5353.20090519.html

Basically, you get to execute Java code as the user if they visit your web page and have Java turned on. This is default in Fedora, for example, and Bas handily owned my laptop with it. In CANVAS you don't execute commands so much as get a JavaNode connectback (which is somewhat similar to MOSDEF).

Anyways, it's one of my favorite updates to CANVAS recently. Go Julian and his wacky ReplaceObject() tricks! :>

-dave _______________________________________________ Dailydave mailing list Dailydave@lists.immunitysec.com http://lists.immunitysec.com/mailman/listinfo/dailydave