Sun plugs Java Web Start, Solaris holes

Article

Sun plugs Java Web Start, Solaris holes

Sun Microsystems recommends Java Web Start and Solaris users apply updates that plug security holes attackers could exploit to tamper with local files, gain elevated privileges or launch malicious code.

The Santa Clara, Calif.-based company said the problem with Java Web Start

    Requires Free Membership to View

    Login

    SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!

    Michael S. Mimoso, Editorial Director

    By submitting your registration information to SearchSecurity.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchSecurity.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

is that it "may allow an untrusted application the ability to elevate its privileges. As a result, an application may grant itself permissions to read and write local files or execute local applications that are accessible to the user running the Java Web Start application."

This vulnerability affects Java Web Start in J2SE releases 1.4.2_06 and earlier for Windows, Solaris and Linux. Java Web Start in J2SE 5.0 and later and J2SE releases prior to 1.4.2 for Windows, Solaris and Linux are not affected. Java Web Start 1.0.1_02 and earlier are also not affected.

Sun said there are no reliable symptoms to indicate the security hole is being exploited on vulnerable machines.

The company has fixed the problem in J2SE 1.4.2_07 or later for Windows, Solaris and Linux.

Related information

Sun fixes Java plug-in

Sun touts tougher security with Solaris 10

Solaris 10 gets thumbs up for security

Meanwhile, Sun has patched a buffer overflow vulnerability in newgrp(1) attackers could use to target systems running Solaris 7, 8 or 9.

"A buffer overflow in newgrp(1) may allow a local unprivileged user the ability to gain root privileges," Sun's advisory said.

Danish security firm Secunia said in its advisory that, "The flaw is due to an unspecified boundary error in the newgrp utility and can be exploited to cause a buffer overflow. Successful exploitation allows execution of arbitrary code with root privileges."

The glitch affects Solaris 7, 8 and 9 on the SPARC and x86 platforms.

Like the Java Web Start vulnerability, there are no predictable symptoms to indicate when this problem is being exploited, Sun said.