Sun releases patch to address a number of serious vulnerabilities

Summary:Sun released an update today to cover numerous vulnerabilities within the JDK/JRE.The following vulnerabilities were reported as patched:Two security vulnerabilities in the Java Runtime Environment Virtual Machine may independently allow an untrusted application or applet that is downloaded from a website to elevate its privileges.

Sun Logo
Sun released an update today to cover numerous vulnerabilities within the JDK/JRE.

The following vulnerabilities were reported as patched:

  • Two security vulnerabilities in the Java Runtime Environment Virtual Machine may independently allow an untrusted application or applet that is downloaded from a website to elevate its privileges.  For example, the application or applet may grant itself permissions to read and write local files or execute local applications that are accessible to the user running the untrusted application or applet. (CVE-2008-1185, CVE-2008-1186)
  • A security vulnerability in the Java Runtime Environment (JRE) with the processing of XSLT transformations may allow an untrusted applet or application that is downloaded from a website to elevate its privileges.  For example, an applet may read certain unauthorized URL resources (such as some files and web pages) or potentially execute arbitrary code.  This vulnerability may also be exploited to create a Denial-of-Service (DoS) condition by causing the JRE to crash. (CVE-2008-1187)
  • Three buffer overflow vulnerabilities in Java Web Start may independently allow an untrusted Java Web Start application that is downloaded from a website to elevate its privileges.  For example, an untrusted Java Web Start application may grant itself permissions to read and write local files or execute local applications that are accessible to the user running the untrusted application. (CVE-2008-1188, CVE-2008-1189)
  • A vulnerability in Java Web Start may allow an untrusted Java Web Start application to elevate its privileges.  For example, an application may grant itself permissions to read and write local files or execute local applications that are accessible to the user running the untrusted application. (CVE-2008-1190)
  • A vulnerability in Java Web Start may allow an untrusted Java Web Start application to create files on the system that the untrusted application runs on and leverage these files to run local applications with the privileges of the user running the untrusted Java Web Start application. (CVE-2008-1191)
  • A security vulnerability in the Java Plug-in may allow an applet that is downloaded from a website to bypass the same origin policy and leverage this flaw to execute local applications that are accessible to the user running the untrusted applet. (CVE-2008-1192)
  • A vulnerability in the Java Runtime Environment image parsing library may allow an untrusted application or applet that is downloaded from a website to elevate its privileges.  For example, the application or applet may grant itself permissions to read and write local files or execute local applications that are accessible to the user running the untrusted application or applet. (CVE-2008-1193)
  • Two vulnerabilities in the color management library may allow an untrusted applet or application to cause the Java RuntimeEnvironment to crash, which is a type of Denial of Service (DoS). (CVE-2008-1194)
  • A vulnerability in the Java Runtime Environment may allow JavaScript code that is downloaded by a browser to make connections to network services on the system that the browser runs on, through Java APIs.  This may allow files (that are accessible through these network services) or vulnerabilities (that exist on these network services) which are not otherwise normally accessible to be accessed or exploited. (CVE-2008-1195)
  • A buffer overflow vulnerability in Java Web Start may allow an untrusted Java Web Start application that is downloaded from a website to elevate its privileges. For example, an untrusted Java Web Start application may grant itself permissions to read and write local files or execute local applications that are accessible to the user running the untrusted application. (CVE-2008-1196)

Affected Versions:

  • JDK and JRE 6 Update 5
  • JDK and JRE 5.0 Update 15
  • SDK and JRE 1.4.2_17
  • SDK and JRE 1.3.1_22

Obviously some of these are very serious issues and I expect that we will see some great proof of concept code shortly that I will also talk about here.

-Nate

Topics: Open Source, Apps, Oracle, Security, Software Development

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.