August 29, 2007 8:03 AM PDT

Oracle JInitiator security flaw discovered

by Dawn Kawamoto

Security researchers have found a "highly critical" security flaw in Oracle's JInitiator ActiveX control, which allows users to run Oracle Developer Server applications in a Web browser, according to a report by the United States Computer Emergency Readiness Team (US-CERT).

According to the folks at US-CERT, the vulnerabilities appear to be in JInitiator 1.1.8.16 and earlier versions of the software. The security flaws could allow an attacker to gain remote control of a user's system and execute arbitrary code.

A malicious attacker may be able to exploit the vulnerabilities within the Oracle JInitiator "beans.ocx" Active X control, when it handles certain initialization parameters that aren't specified, according to a posting by security research firm Secunia.

That, as a result, could lead to a stack-based buffer overflow, after a user is tricked into visiting a malicious Web site.

Dawn Kawamoto covers enterprise security and financial news relating to technology for CNET News. E-mail Dawn.

Topics:: Security

Tags:: Oracle,; JInitiator

Share:: Digg; Del.icio.us; Reddit; Facebook

About News Blog

Recent posts on technology, trends, and more.

Add this feed to your online news reader

Inside CNET News

Scroll Left Scroll Right

Business Tech
Week in review: A speedier new Firefox
Mozilla's latest version plays catch-up with the browser competition. Also: the latest in Windows 7 news, and a Yahoo data center in a new shade of green.
Gallery
Photos: The Transcontinental Railroad's Golden Spike
Apple
Employee shot, wounded at Virginia Apple store
The victim, a 26-year-old woman, is in serious but stable condition with a wound to the shoulder. Some media outlets are reporting robbery as the motive, but police say it's too early to tell.
Beyond Binary
Windows 7 may get a 'Family Pack'
Enthusiasts have spotted wording in a leaked test build of the operating system that suggests Microsoft may offer a three-PC deal with the new Windows.
Video
Video: iPhone 3G S launch in New York City
Digital Media
Seattle fire knocks out service to Bing Travel, other sites
At least two dozen sites experience protracted outage following Thursday night electrical fire at Fisher Plaza data center. Verizon's Seattle-area DSL service also gets temporarily disrupted.
Video
A recipe for high-tech chocolate
Geek Gestalt
Where the Transcontinental Railroad finally joined
At Promontory Summit, Utah, the Central Pacific Railroad and the Union Pacific Railroad met on May 10, 1869 after 1,776 miles of track had been laid over six years.
The Space Shot
Lunar mapping satellite snaps first test images
NASA's Lunar Reconnaissance Orbiter has snapped its first test images, showing the moon's starkly cratered terrain in preparation for the start of mapping operations.
Gallery
Photos: Top-rated reviews of the week
The Audiophiliac
Poll: Why don't you have an iPod or MP3 player?
What's wrong with you? Doesn't everybody have one of these things?
The Car Tech blog
Fisker's good Karma
At a dinner speech recently, Henrik Fisker laid out his plans for Fisker Automotive and its first car, the plug-in hybrid Karma.