Simon Willison's Weblog: appletshttp://simonwillison.net/2009-05-19T19:07:56+00:00Simon WillisonCritical Mac OS X Java Vulnerabilities2009-05-19T19:07:56+00:002009-05-19T19:07:56+00:00https://simonwillison.net/2009/May/19/critical/#atom-tag
<p><strong><a href="http://landonf.bikemonkey.org/code/macosx/CVE-2008-5353.20090519.html">Critical Mac OS X Java Vulnerabilities</a></strong></p>
There’s a five month old Java arbitrary code execution vulnerability which hasn’t yet been patched by Apple. Disable Java applets in your browser until it’s fixed, or random web pages could execute commands on your machine as your user account.
<p>Tags: <a href="https://simonwillison.net/tags/apple">apple</a>, <a href="https://simonwillison.net/tags/applets">applets</a>, <a href="https://simonwillison.net/tags/browsers">browsers</a>, <a href="https://simonwillison.net/tags/java">java</a>, <a href="https://simonwillison.net/tags/macos">macos</a>, <a href="https://simonwillison.net/tags/security">security</a></p>
Evil GIFs: Partial Same Origin Bypass with Hybrid Files2008-07-01T08:58:45+00:002008-07-01T08:58:45+00:00https://simonwillison.net/2008/Jul/1/evil/#atom-tag
<p><strong><a href="http://radar.oreilly.com/archives/2008/06/partial-same-origin-bypass-wit.html">Evil GIFs: Partial Same Origin Bypass with Hybrid Files</a></strong></p>
First there were PNGs that had crossdomain.xml files embedded in them, now there are GIFs that contain Java applets (as JAR files). At this point I’d say don’t even bother trying to validate uploaded files, just make sure they’re served off an entirely different domain instead where XSS doesn’t matter.
<p>Tags: <a href="https://simonwillison.net/tags/applets">applets</a>, <a href="https://simonwillison.net/tags/crossdomainxml">crossdomainxml</a>, <a href="https://simonwillison.net/tags/gifs">gifs</a>, <a href="https://simonwillison.net/tags/javaapplets">javaapplets</a>, <a href="https://simonwillison.net/tags/pngs">pngs</a>, <a href="https://simonwillison.net/tags/security">security</a>, <a href="https://simonwillison.net/tags/uploads">uploads</a>, <a href="https://simonwillison.net/tags/validation">validation</a>, <a href="https://simonwillison.net/tags/xss">xss</a></p>