Sun Microsystems Inc. has released updates to correct nearly two dozen critical flaws in the Sun Java Runtime Environment that could be exploited remotely by an attacker to bypass security, gain access to critical files or conduct a denial-of-service attack.
Errors in the runtime environment could be exploited to write malicious Java Archive (JAR) files and multiple image processing errors could result in buffer overflows. Flaws can also be exploited by an attacker to establish a network connection to download more malware.
There are also multiple flaws in the Java Web Start application. Java Web Start allows users to start Java applications directly from a browser. To exploit the flaws, an attacker has to pass a malicious file through the application. A successful attack could give the attacker the ability "to read, write or execute local files with the privileges of the user running the application," according to an advisory issued by the Danish vulnerability clearinghouse Secunia. Secunia gave the flaws a highly critical rating.
Other errors in Java Web Start can give an attacker the ability to modify system properties and hijack HTTP sessions, Sun said in multiple advisories.
Sun issued updates to its runtime environment and Java SE Development Kits (JDK) to correct the flaws.