Sun issues patches for 'highly critical' Java flaws

Sun issues patches for 'highly critical' Java flaws

Summary: Sun Microsystems has shipped patches to fix a batch of "highly critical" vulnerabilities in Sun Java JRE (Java Runtime Environment).

SHARE:

Sun issues major Java security updateSun Microsystems has shipped patches to fix a batch of "highly critical" vulnerabilities in Sun Java JRE (Java Runtime Environment).

The flaws, which affect Windows, Solaris and Linux users, can be exploited to bypass certain security restrictions, manipulate data, disclose sensitive/system information, or potentially compromise a vulnerable system, according to an alert from Secunia.

On the Sun security blog, the company acknowledged 11 different vulnerabilities in Java 2 Platform, Standard Edition.

The skinny on the flaws:

1. A vulnerability in the Java Runtime Environment (JRE) with applet caching may allow an untrusted applet that is downloaded from a malicious website to make network connections to network services on machines other than the one that the applet was downloaded from. This may allow network resources (such as web pages) and vulnerabilities (that exist on these network services) which are not otherwise normally accessible to be accessed or exploited.

2. A bug in Java Web Start may allow an untrusted application to read local files that are accessible to the user running the untrusted application.

3. Two vulnerabilities in Java Web Start may allow an untrusted application to read and write local files that are accessible to the user running the untrusted application.

4. Three vulnerabilities in Java Web Start may allow an untrusted application to determine the location of the Java Web Start cache.Sun issues ‘highly critical’ Java security update

5. A vulnerability in the Java Runtime Environment may allow an untrusted Java Web Start application or Java applet to move or copy arbitrary files on the system that the application or applet runs on, by requesting the user of the application or applet to drag a file from the application or applet window to a desktop application that has permissions to accept and write files on the system. To exploit this vulnerability, the application or applet has to successfully persuade the user to drag and drop the file.

6. When an untrusted applet or application displays a window, the Java Runtime Environment includes a warning banner inside the window to indicate that the applet or application is untrusted. A defect in the Java Runtime Environment may allow an untrusted applet or application that is downloaded from a malicious website to display a window that exceeds the size of a user's screen so that the warning banner is not visible to the user.

7. A vulnerability in the Java Runtime Environment (JRE) may allow malicious Javascript code that is downloaded by a browser from a malicious website to make network connections, through Java APIs, to network services on machines other than the one that the Javascript code was downloaded from. This may allow network resources (such as web pages) and vulnerabilities (that exist on these network services) which are not otherwise normally accessible to be accessed or exploited.

8. A security flaw in the JRE may allow an untrusted applet that is downloaded from a malicious website through a web proxy to make network connections to network services on machines other than the one that the applet was downloaded from. This may allow network resources (such as web pages) and vulnerabilities (that exist on these network services) which are not otherwise normally accessible to be accessed or exploited.

Topics: Apps, Networking, Open Source, Oracle, Security, Software Development

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

11 comments
Log in or register to join the discussion
  • Classic Java FUBAR

    But then, what can you really expect?
    After all, they do claim that they are full of beans.... ;0

    It's not like you don't have to go and dig through the Program Files folder to find their update program.
    dragon@...
  • native code is still better

    why use Java, or worse .nyet just to add overhead and security issues you can't coontrol?
    Linux Geek
    • Use it because of MultiProcessors

      It takes a very senior code warrior to write native code that can take advantage of multi processors and multi cores and low power consumption. Because the future of computing is mobile, there will be very little new development that doesn't take mobility into consideration which means power consumption. Multi processor means low power consumption because processors can be shut down when there isn't work for them to do.

      But of course there are tools and development platforms that do not involve Java that can help. It is just a fact that Java has a decade jump on those in its ability to take advantage of this now prevalent hardware power saving strategy. Java was designed 10 plus years ago with the notion that mainframe architecture would find its way to client devices.

      It will not be to much longer before some one cost justifies replacement of hundreds of PCs with new multi-processor multi-core computing devices based on power savings. There are already programs giving discounts for doing so - just like the low energy refrigerator programs.
      mighetto
    • not always an option in the real world

      "why use Java, or worse .nyet..."

      Because in a small and medium size business environment, certain software vendors require those components to run their programs and custom coding everything is cost prohibitive. When you're in your own little world, you can do whatever you want. But in the real world you can't always have things the way you want them.
      Flying Pig
  • So Applets Are Taking Over - It is about time

    I think the significance of this article is that applets are taking over the Web 2.0. If you go back 10 years you would have found applet caching on the Netscape browser but not on the Microsoft Browser. This was later corrected so that applet caching is standard on both. But to avoid browsers all together Java Web Start was invented which best I can tell from working with it is applet plus its own browser. The article supports this notion.

    Now I wish I knew what we were suppose to do with the information presented in the article. It would be nice for the author to have identified an applet or java web start deployment that used a nasty 11. Is there a single one? I am guessing no because the article would have been much better if it identified it.

    So lets try that Java applet to Citrix at the office or the GotoMyPc applet.

    This is the reality. I do not usually have administrator rights on the PCs at cafes, libraries, fed-x etc. If a message pops up that requires downloading a bit of software for say watching a news clip I am out of luck. Hence companies like Adobe are rewriting their downloads in Java. Java applets have already taken over when you do real work, as demonstrated by the Citrix and GotoMyPC applets.
    mighetto
    • Applets taking over? Flash maybe, but not Java

      Java applets are by no means playing a significant role in "Web 2.0". If anything, Flash applets *may* be (e.g. YouTube and other streaming video sites).
      PB_z
      • Don't forget

        Silverlight. It goes well beyond Flash in it's use but Flash is a competitor to a subset of Silverlight.
        xuniL_z
    • Java, what's java?

      Last I looked java was declining except in mobile devices or set-top boxes...
      wizec
  • Got the update this morning ...

    Running Kubuntu 7.10 "Gutsy" beta and noticed the sun-java runtime files were in the adept package manager systray, along with about 60 other pacakages. Thought it was strange since sun-java rarely has updates. Now I know why. ;)
    MisterMiester
  • It is time everyone

    just moved to .NET and got moving on real, fast, secure, reliable and extremely powerful apps. <br>
    Move to Vista, .NET 3.0, Visual studio 2005 and experience WPF among other technologies that allow for great rich internet apps. best dev environment and tools on the planet. <br>
    take advantage of Siverlight and MS live services. <br>
    Check out this great description and get moving in the right direction: <br>
    http://www.webware.com/8301-1_109-9714748-2.html
    xuniL_z
  • 1722 error

    There are still MANY people who can't use Sun Java because it WON'T install on their machine.

    S'pose we're all safe from these exploits tho'!!!!
    chaz15