A security researcher claims to have alerted the Mojang two years ago on this failure. Given the lack of response, decided to make the public key.
Ammar Askar writes that alerted the Mojang for a long time and that the company is taking to respond too. Now, Askar published the details of this failure, which, if exploited, will cause the server to be overloaded with a data decompression workload and runs out the memory capacity.
If the Mojang establish a size limitation of the data, the problem is solved and the solution is not as difficult to implement, explains the researcher quoted by ZDNet.
The failure was detected in version 1.6.2 released in July 2013, but remains in the two major updates that have been released yet. Askar published a demonstration of the failure on GitHub.
It is recalled that the Mojang was recently bought by Microsoft.
Unknown
quinta-feira, 23 de abril de 2015