Sun fixes Java Plug-in flaw

Bill Brenner

Sun Microsystems has fixed security holes attackers could exploit in Java Plug-in to access and modify local files, execute local applications or launch malicious files and Web pages.

The Santa Clara, Calif.-based company announced the fixes in an advisory

    Requires Free Membership to View

Wednesday. They address two vulnerabilities in Java Plug-in, a program that allows small Web applications known as applets to be safely run on a user's computer.

The first flaw is in how JavaScript is handled when calling into Java code. If exploited, Sun said, "an untrusted applet may grant itself permissions to read and write local files or execute local applications that are accessible to the user running the untrusted applet." This can affect:

  • SDK and JRE 1.4.2, 1.4.1_06 and earlier;
  • All 1.4.0 releases; and
  • 1.3.1_12 and earlier for Windows using Internet Explorer.

The second flaw may allow an untrusted applet to "inappropriately interfere with another applet in the same Web page, which may [cause] it to incorrectly load non-code resources such as files and Web pages," Sun said. This can affect:

  • SDK and JRE 1.4.2_05 and earlier;
  • All 1.4.1 and 1.4.0 releases; and
  • 1.3.1_12 and earlier for Windows, Solaris and Linux.

Sun stressed that JDK and JRE 5.0 are not affected by these vulnerabilities. The company credited researcher Fujitsu for discovering the flaws and bringing them to the company's attention.

Sun said JavaScript can be disabled in the browser as a temporary workaround for the first issue, which is fixed in SDK and JRE 1.4.2_01 and later, and 1.3.1_13 and later. The second issue is fixed in SDK and JRE 1.4.2_06 and later, and 1.3.1_13 and later.

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: