[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] Sun Java Update Scheduler gets placed in autostart without absolute path quotes

To: <bugtraq@xxxxxxxxxxxxxxxxx>, <full-disclosure@xxxxxxxxxxxxxxxxx>
Subject: [Full-disclosure] Sun Java Update Scheduler gets placed in autostart without absolute path quotes
From: "Paul" <pvnick@xxxxxxxxx>
Date: Mon, 16 Jan 2006 19:16:05 -0500

Name: SunJavaUpdateSched

Value: C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe

 

…Meaning that Windows will attempt to execute C:\Program.exe first, and then
the rest of the path if that doesn’t exist.

 

Might be a bug in the old version – I haven’t updated yet. Not a very
critical bug, although the autostart is in HKLM, so users can install
malware on other users’ accounts.

 

Kind regards,

Paul Nickerson

Greyhats Security


-- 
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.375 / Virus Database: 267.14.19/231 - Release Date: 1/16/2006

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Prev by Date: [Full-disclosure] MDKSA-2006:015 - Updated hylafax packages fix eval injection vulnerabilities
Next by Date: [Full-disclosure] MDKSA-2006:016 - Updated clamav packages fix vulnerability
Previous by thread: [Full-disclosure] MDKSA-2006:015 - Updated hylafax packages fix eval injection vulnerabilities
Next by thread: [Full-disclosure] MDKSA-2006:016 - Updated clamav packages fix vulnerability
Index(es):
- Date
- Thread