The software developer who discovered the bug that led to the demise of his company’s platform has published an explanation of what he did to get to it.
The bug, discovered by Martin Schulte last month, allowed him to run an arbitrary binary file through the Java Virtual Machine (JVM) without permission, allowing malicious code to be loaded on his system.
The exploit, however, was only able to execute code on a machine running a version of the Java Runtime Environment (JRE), which is an application-level layer that runs on most modern computers.
While the exploit had no apparent impact on normal use of the platform, its potential to compromise the system’s software meant the company’s customers could not use it to install any software.
“It was not a perfect exploit, but I think it was a great idea and I was very lucky that no one was using it to gain control over the system,” Schultes told Hack.com.
He added that he did not want to reveal how the exploit was discovered, but the fact that it was found so quickly showed that he was not alone in finding the problem.
“There were people who had been working on this for months and months without noticing the vulnerability until one of their colleagues did,” he said.
“When you have people reporting problems like this and you do not do anything about it, it shows how serious this vulnerability is.”
Schulte and his colleagues had previously reported on a similar vulnerability in Oracle Java.
That vulnerability, which was patched in August, led to an attack on the company that saw its entire IT infrastructure go offline, affecting about 50,000 employees worldwide.
Oracle has since released a patch for the Java exploit, which has now been found and patched.
However, many have argued that the company has not done enough to prevent such an attack from being possible in the future.
Schultes has been trying to get his company back online since the bug was discovered.
However he believes that it will take a long time before Oracle’s new Java update will do much to ease the problem for him and his staff.
“They said they were going to fix it in two weeks,” he explained.
“What they did was not.
And we are waiting two weeks to get the patch.”
Schultz has written a blog post detailing how he worked out how he was able to bypass Oracle’s patch and how he plans to fix the vulnerability in Java.
He also outlined the steps he took to fix his company, including the removal of the malware used in the attack.
“My biggest concern with this exploit is that it is not a flaw that can be fixed by software alone, it can be remediated by software, but it will not be remedied by software that has not been tested, it will be remedicated by the community,” he wrote.
“I know that this has caused a lot of anxiety, and I have had to spend a lot more time than usual to get this fixed.
But this is a small price to pay to try and get the world back online.”
Schulz, who has not yet published his blog post on the exploit, told Hack that he hopes that by sharing his experience he can help other people who are also finding themselves in similar situations.
“Hopefully this will encourage other people to go through the same process, to try to find the right tool that is easy to use and easy to fix,” he added.