Article

Sun fixes multiple Java flaws

Bill Brenner

Sun Microsystems Inc. has fixed multiple security holes in programs computers rely on to run Java applications. Attackers could use malicious applets on vulnerable PCs to obtain the elevated user privileges needed to read and write local files or execute local applications.

The Santa Clara, Calif.-based company released three advisories Monday. Two of them outline flaws in the Java Runtime Environment (JRE), which provides the minimum requirements for computers to run a Java application. It consists of the Java Virtual Machine (JVM), core classes and supporting files, according to

    Requires Free Membership to View

Whatis.com, a sister site to SearchSecurity.com.

The first advisory explains that a vulnerability in JRE could allow an untrusted applet to elevate its privileges. "For example, an applet may grant itself permissions to read and write local files or execute local applications that are accessible to the user running the untrusted applet," Sun said.

The issue affects Java Development Kit (JDK) and JRE 5.0 Update 3 and earlier for Windows, Solaris and Linux, Sun said. The problem is fixed in JDK and JRE 5.0 Update 4 and later for all three operating systems.

The second advisory details three vulnerabilities that could allow a malicious applet to elevate its privileges "with the use of 'reflection' APIs in the Java Runtime Environment." For example, Sun said, "An untrusted applet may grant itself permissions to read and write local files or execute local applications that are accessible to the user running the untrusted applet."

The following releases are affected by one or more of the flaws on the Windows, Solaris and Linux platforms: SDK (software developer's kit) and JRE 1.3.1_15 and prior; SDK and JRE 1.4.2_08 and prior; and JDK and JRE 5.0 Update 3 and prior. The issues are fixed in SDK and JRE 1.3.1_16 and later, SDK and JRE 1.4.2_09 and later; and JDK and JRE 5.0 Update 4 and later.

The third advisory outlines a flaw in the Java Management Extensions (JMX) implementation that's included with JRE. Like the vulnerabilities in the second advisory, a malicious applet could exploit the flaw to elevate its privileges to read and write local files or execute local applications.

This affects JDK and JRE 5.0 Update 3 or earlier for Windows, Solaris and Linux, and is fixed in JDK and JRE 5.0 Update 4 or later.


There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: