Updates on the GIFAR vulnerability

Submitted by Christopher on Tue, 2009-02-24 19:40

First, I'd like to congratulate Billy Rios, Nate McFeters, Rob Carter, and John Heasman as the GIFAR Java attack was selected as the top web hacking attack technique for 2008. I had the opportunity to meet Nate McFeters at a STLSec event, and I was impressed by how down to earth and knowledgeable he is.

Second, through the post on Jeremiah's blog I learned of this post by Billy Rios. It contains a great write-up of a practical attack using GIFARs, using Google as an example.

Finally, Sun has patched this particular attack vector. The Sun advisory is #244988. This is patched as of versions JDK and JRE 6 Update 11, JDK and JRE 5.0 Update 17, and SDK and JRE 1.4.2_19.