Sun fixes multiple Java flaws

Attackers could exploit flaws in the Java Runtime Environment and Management Extensions to read and write local files or execute applications.

Sun Microsystems Inc. has fixed multiple security holes in programs computers rely on to run Java applications. Attackers could use malicious applets on vulnerable PCs to obtain the elevated user privileges needed to read and write local files or execute local applications.

The Santa Clara, Calif.-based company released three advisories Monday. Two of them outline flaws in the Java Runtime Environment (JRE), which provides the minimum requirements for computers to run a Java application. It consists of the Java Virtual Machine (JVM), core classes and supporting files, according to Whatis.com, a sister site to SearchSecurity.com.

The first advisory explains that a vulnerability in JRE could allow an untrusted applet to elevate its privileges. "For example, an applet may grant itself permissions to read and write local files or execute local applications that are accessible to the user running the untrusted applet," Sun said.

The issue affects Java Development Kit (JDK) and JRE 5.0 Update 3 and earlier for Windows, Solaris and Linux, Sun said. The problem is fixed in JDK and JRE 5.0 Update 4 and later for all three operating systems.

The second advisory details three vulnerabilities that could allow a malicious applet to elevate its privileges "with the use of 'reflection' APIs in the Java Runtime Environment." For example, Sun said, "An untrusted applet may grant itself permissions to read and write local files or execute local applications that are accessible to the user running the untrusted applet."

The following releases are affected by one or more of the flaws on the Windows, Solaris and Linux platforms: SDK (software developer's kit) and JRE 1.3.1_15 and prior; SDK and JRE 1.4.2_08 and prior; and JDK and JRE 5.0 Update 3 and prior. The issues are fixed in SDK and JRE 1.3.1_16 and later, SDK and JRE 1.4.2_09 and later; and JDK and JRE 5.0 Update 4 and later.

The third advisory outlines a flaw in the Java Management Extensions (JMX) implementation that's included with JRE. Like the vulnerabilities in the second advisory, a malicious applet could exploit the flaw to elevate its privileges to read and write local files or execute local applications.

This affects JDK and JRE 5.0 Update 3 or earlier for Windows, Solaris and Linux, and is fixed in JDK and JRE 5.0 Update 4 or later.

Dig deeper on Security Resources

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close