Sun Microsystems has fixed security holes attackers could exploit in Java Plug-in to access and modify local files, execute local applications or launch malicious files and Web pages.
The Santa Clara, Calif.-based company announced the fixes in an advisory Wednesday. They address two vulnerabilities in Java Plug-in, a program that allows small Web applications known as applets to be safely run on a user's computer.
- SDK and JRE 1.4.2, 1.4.1_06 and earlier;
- All 1.4.0 releases; and
- 1.3.1_12 and earlier for Windows using Internet Explorer.
The second flaw may allow an untrusted applet to "inappropriately interfere with another applet in the same Web page, which may [cause] it to incorrectly load non-code resources such as files and Web pages," Sun said. This can affect:
- SDK and JRE 1.4.2_05 and earlier;
- All 1.4.1 and 1.4.0 releases; and
- 1.3.1_12 and earlier for Windows, Solaris and Linux.
Sun stressed that JDK and JRE 5.0 are not affected by these vulnerabilities. The company credited researcher Fujitsu for discovering the flaws and bringing them to the company's attention.