Sun fixes Java Plug-in flaw

Attackers could use security holes in Java Plug-in to access and modify files or unleash malicious files and Web pages.

Sun Microsystems has fixed security holes attackers could exploit in Java Plug-in to access and modify local files, execute local applications or launch malicious files and Web pages.

The Santa Clara, Calif.-based company announced the fixes in an advisory Wednesday. They address two vulnerabilities in Java Plug-in, a program that allows small Web applications known as applets to be safely run on a user's computer.

The first flaw is in how JavaScript is handled when calling into Java code. If exploited, Sun said, "an untrusted applet may grant itself permissions to read and write local files or execute local applications that are accessible to the user running the untrusted applet." This can affect:

  • SDK and JRE 1.4.2, 1.4.1_06 and earlier;
  • All 1.4.0 releases; and
  • 1.3.1_12 and earlier for Windows using Internet Explorer.

The second flaw may allow an untrusted applet to "inappropriately interfere with another applet in the same Web page, which may [cause] it to incorrectly load non-code resources such as files and Web pages," Sun said. This can affect:

  • SDK and JRE 1.4.2_05 and earlier;
  • All 1.4.1 and 1.4.0 releases; and
  • 1.3.1_12 and earlier for Windows, Solaris and Linux.

Sun stressed that JDK and JRE 5.0 are not affected by these vulnerabilities. The company credited researcher Fujitsu for discovering the flaws and bringing them to the company's attention.

Sun said JavaScript can be disabled in the browser as a temporary workaround for the first issue, which is fixed in SDK and JRE 1.4.2_01 and later, and 1.3.1_13 and later. The second issue is fixed in SDK and JRE 1.4.2_06 and later, and 1.3.1_13 and later.

Dig deeper on Web Application Security

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close