Sun issues patches for 'highly critical' Java flaws

Summary:Sun Microsystems has shipped patches to fix a batch of "highly critical" vulnerabilities in Sun Java JRE (Java Runtime Environment).

Sun issues major Java security update
Sun Microsystems has shipped patches to fix a batch of "highly critical" vulnerabilities in Sun Java JRE (Java Runtime Environment).

The flaws, which affect Windows, Solaris and Linux users, can be exploited to bypass certain security restrictions, manipulate data, disclose sensitive/system information, or potentially compromise a vulnerable system, according to an alert from Secunia.

On the Sun security blog, the company acknowledged 11 different vulnerabilities in Java 2 Platform, Standard Edition.

The skinny on the flaws:

1. A vulnerability in the Java Runtime Environment (JRE) with applet caching may allow an untrusted applet that is downloaded from a malicious website to make network connections to network services on machines other than the one that the applet was downloaded from. This may allow network resources (such as web pages) and vulnerabilities (that exist on these network services) which are not otherwise normally accessible to be accessed or exploited.

2. A bug in Java Web Start may allow an untrusted application to read local files that are accessible to the user running the untrusted application.

3. Two vulnerabilities in Java Web Start may allow an untrusted application to read and write local files that are accessible to the user running the untrusted application.

4. Three vulnerabilities in Java Web Start may allow an untrusted application to determine the location of the Java Web Start cache.

Sun issues ‘highly critical’ Java security update

5. A vulnerability in the Java Runtime Environment may allow an untrusted Java Web Start application or Java applet to move or copy arbitrary files on the system that the application or applet runs on, by requesting the user of the application or applet to drag a file from the application or applet window to a desktop application that has permissions to accept and write files on the system. To exploit this vulnerability, the application or applet has to successfully persuade the user to drag and drop the file.

6. When an untrusted applet or application displays a window, the Java Runtime Environment includes a warning banner inside the window to indicate that the applet or application is untrusted. A defect in the Java Runtime Environment may allow an untrusted applet or application that is downloaded from a malicious website to display a window that exceeds the size of a user's screen so that the warning banner is not visible to the user.

7. A vulnerability in the Java Runtime Environment (JRE) may allow malicious Javascript code that is downloaded by a browser from a malicious website to make network connections, through Java APIs, to network services on machines other than the one that the Javascript code was downloaded from. This may allow network resources (such as web pages) and vulnerabilities (that exist on these network services) which are not otherwise normally accessible to be accessed or exploited.

8. A security flaw in the JRE may allow an untrusted applet that is downloaded from a malicious website through a web proxy to make network connections to network services on machines other than the one that the applet was downloaded from. This may allow network resources (such as web pages) and vulnerabilities (that exist on these network services) which are not otherwise normally accessible to be accessed or exploited.

Topics: Apps, Networking, Open Source, Oracle, Security, Software Development

About

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content managem... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.