Security researchers have warned of a flaw in Java that could allow malware writers to inject code onto user's machines.
The flaw is in the Java Web Start system built for developers, and affects every version since Java 6 Update 10.
The code contains a NPAPI plug-in and ActiveX control called Java Deployment Toolkit which does not check the full parameters of URLs.
"The toolkit provides only minimal validation of the URL parameter, allowing us to pass arbitrary parameters to the [Java Web Start] utility, which provides enough functionality via command line arguments to allow this error to be exploited," wrote researcher Tavis Ormandy on the Full Disclosure mailing list.
"The simplicity with which this error can be discovered has convinced me that releasing this document is in the best interest of everyone except the vendor."
Ormandy explained that the flaw leaves all Windows users of Java open to attack. He published his findings because Sun Microsystems owner Oracle does not consider the bug important enough to break its quarterly patching schedule.
"Sun has been informed about this vulnerability, however, they informed me they do not consider this vulnerability to be of high enough priority to break their quarterly patch cycle," he said.
"For various reasons, I explained that I did not agree, and intended to publish advice to temporarily disable the affected control until a solution is available."
Protect Your Business From Security Threats with PROprotection™ from UKFast