Java Vulnerabilities and Exploits

Another interesting ISC post which I hadn't gotten to write about is this one. It was determined that the malicious java class file was exploiting a vulnerability closed around January (CVE-2007-0243), and interestingly, 12% of ISC visitors were still vulnerable. However, it could have just as easily been this new vulnerability in Java's image handling code (CVE-2007-3004) which seems to be basically the same thing.

I have written many times about vulnerabilities which derive from the incorrect handling of image and multimedia formats, as well as the vulnerabilities induced by plugins in general. Many such vulnerabilities are being flushed out right now due to the ability to find them simply by creating format fuzzers. Therefore, I have a feeling we will still be inundated by them for a while, and thus client-side security will be important for quite some time.