Sun plugs Java Web Start, Solaris holes

By Bill Brenner, News Writer 21 Mar 2005 | SearchSecurity.com

Digg This!     StumbleUpon     Del.icio.us

Sun Microsystems recommends Java Web Start and Solaris users apply updates that plug security holes attackers could exploit to tamper with local files, gain elevated privileges or launch malicious code.

The Santa Clara, Calif.-based company said the problem with Java Web Start is that it "may allow an untrusted application the ability to elevate its privileges. As a result, an application may grant itself permissions to read and write local files or execute local applications that are accessible to the user running the Java Web Start application."

This vulnerability affects Java Web Start in J2SE releases 1.4.2_06 and earlier for Windows, Solaris and Linux. Java Web Start in J2SE 5.0 and later and J2SE releases prior to 1.4.2 for Windows, Solaris and Linux are not affected. Java Web Start 1.0.1_02 and earlier are also not affected.

Sun said there are no reliable symptoms to indicate the security hole is being exploited on vulnerable machines.

The company has fixed the problem in J2SE 1.4.2_07 or later for Windows, Solaris and Linux.

Related information Sun fixes Java plug-in Sun touts tougher security with Solaris 10 Solaris 10 gets thumbs up for security

Meanwhile, Sun has patched a buffer overflow vulnerability in newgrp(1) attackers could use to target systems running Solaris 7, 8 or 9.

"A buffer overflow in newgrp(1) may allow a local unprivileged user the ability to gain root privileges," Sun's advisory said.

Danish security firm Secunia said in its advisory that, "The flaw is due to an unspecified boundary error in the newgrp utility and can be exploited to cause a buffer overflow. Successful exploitation allows execution of arbitrary code with root privileges."

The glitch affects Solaris 7, 8 and 9 on the SPARC and x86 platforms.

Like the Java Web Start vulnerability, there are no predictable symptoms to indicate when this problem is being exploited, Sun said.

Tags: Security Patch Management,  Alternative OS security: Mac, Linux, Unix, etc.,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Security Patch Management Adobe fixes critical Shockwave Flash Player flaw Mozilla patches 11 Firefox security flaws, JavaScript errors Microsoft patches WebDAV security vulnerability in bevy of updates Adobe issues first quarterly patch release fixing 13 flaws Microsoft plans 10 security updates, fixing IE, Word, Excel vulnerabilities Adobe shifts to Microsoft patching process, incident response plan Software delivery could fix software patching issues Microsoft updates Office to address serious PowerPoint vulnerabilities Microsoft to patch critical PowerPoint zero-day flaw Firefox update addresses several security flaws Alternative OS security: Mac, Linux, Unix, etc. Mac OS memory flaws pose challenges for enterprise endpoint protection Rootkit Hunter demo: Detect and remove Linux rootkits Oracle to buy Sun Microsystems for $7.4 billion How to harden Linux operating systems Serious holes in Mac OS X memory, researcher shows What is the best operating system for an FTP server implementation? Black Hat DC 2009: Mac OS attack method New hacking method stealthily attacks Macs with malware Apple fixes critical QuickTime flaws User provisioning and SSO for PeopleSoft- and Unix-based products Alternative OS security: Mac, Linux, Unix, etc. Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary attack vector  (SearchSecurity.com) back door  (SearchSecurity.com) ethical worm  (SearchSecurity.com) Patch Tuesday  (SearchSecurity.com) zero-day exploit  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary