A security expert, Sami Koivu, discovered a critical security flaw in Java and reported it to Sun in 2008, but it’s still not fixed.
“This bug reaches the severity threshold where ideally I wouldn’t talk about it until a fix has been issued, but as the Facebook relationship status would put it: It’s complicated,” Koivu said.
By manipulating a JFileChooser object using a Timer and ActionListeners, a hacker can not only view a users file system, but she can create folders, move and rename files, or pretty much whatever she wants via an Applet. That’s not supposed to be possible.
Normally, this type of security flaw would be considered a Zero Day threat or initiative.
“It doesn’t qualify for ZDI because I already notified Sun by myself in 2008 about various vulnerabilities, first via their bug tracking (I didn’t know any better) system and later on via e-mail to their security address, which resulted in the famous Calendar Serialization issue getting fixed,” Koivu explained. “This JFileChooser issue just never got fixed. To be clear: after 2008, they never got back to me and I didn’t harass them to fix it.”
The bug could be used for delayed Remote Code Execution. “For example, a .jar might be moved from the Java Cache into the Java extension folder which has higher permissions. Or imagine an executable posing as an image, which gets renamed, then moved to a system folder,” Koivu said.