A vulnerability in Java technology could be exploited by attackers and used to compromise computers running Windows if they visit a Web page hosting malicious code, two researchers warned on Friday.

Google engineer Tavis Ormandy released details on the Full Disclosure e-mail list and Ruben Santamarta, an engineer for Wintercore, wrote about it on his company's blog site.

The problem is with the Java Web Start framework, which allows developers an easy way to create Java applications. Disabling the Java plug-in will not protect against an attack, according to Ormandy.

"The toolkit provides only minimal validation of the URL parameter, allowing us to pass arbitrary parameters to the javaws [Java Web Start] utility, which provides enough functionality via command line arguments to allow this error to be exploited," Ormandy wrote. "The simplicity with which this error can be discovered has convinced me that releasing this document is in the best interest of everyone except the vendor."

Full story: c|net