Dangerous Java flaw threatens virtually everything

Dangerous Java flaw threatens virtually everything

Summary: Google's Security team has discovered vulnerabilities in the Sun Java Runtime Environment that threatens the security of all platforms, browsers and even mobile devices.

SHARE:

Google's Security team has discovered vulnerabilities in the Sun Java Runtime Environment that threatens the security of all platforms, browsers and even mobile devices.

"This is as bad as it gets," said Chris Gatford, a security expert from penetration testing firm Pure Hacking.

"It's a pretty significant weakness, which will have a considerable impact if the exploit codes come to fruition quickly. It could affect a lot of organisations and users," Gatford told ZDNet Australia.

Australia's Computer Emergency Response Team (AusCERT) analyst, Robert Lowe, warned that anyone using the Java Runtime Environment or Java Development Kit is at risk.

"Delivery of exploits in this manner is attractive to attackers because even though the browser may be fully patched, some people neglect to also patch programs invoked by browsers to render specific types of content," said Lowe.

According to Gatford, the bugs threaten pretty much every modern device.

"Java runs on everything: cell phones, PDAs, and PCs. This is the problem when you have a vulnerability in something so modular -- it affects so many different devices.

"Also, this exploit is browser independent, as long as it invokes a vulnerable Java Runtime Environment," said Gatford.

Pure Hacking's Gatford said the problem is compounded by the slim chance of an enterprise patching Java Runtime vulnerabilities.

"It would be an extremely difficult and laborious process for an organisation trying to patch Java Runtime across the enterprise," he said.

For more information, see the AusCERT advisory.

Topics: Security, Open Source, AUSCERT

Liam Tung

About Liam Tung

Liam Tung is an Australian business technology journalist living a few too many Swedish miles north of Stockholm for his liking. He gained a bachelors degree in economics and arts (cultural studies) at Sydney's Macquarie University, but hacked (without Norse or malicious code for that matter) his way into a career as an enterprise tech, security and telecommunications journalist with ZDNet Australia. These days Liam is a full time freelance technology journalist who writes for several publications.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

5 comments
Log in or register to join the discussion
  • java flaw? more like media needs their brains to thaw...

    Why are you guys so anxious to tell us about something that is already patched and updated?

    the AusCERT advisory
    http://www.auscert.org.au/render.html?it=7664
    say that this effects * JDK and JRE 6
    * JDK and JRE 5.0 Update 10 and earlier
    * SDK and JRE 1.4.2_14 and earlier
    * SDK and JRE 1.3.1_20 and earlier
    so checking my java version:
    $ java -version
    java version "1.5.0_08"

    Ha!
    Java has already been patched and updated by Ubuntu 6.10!
    So how come the hullabaloo over out of date stuff?
    must be SND...(slow news day).....
    anonymous
  • Dear Twit...

    How very nice your home toy computer is current. Perhaps you should try working in a corporate environment with a couple hundred or a few thousand desktops. Your ignorance and attitude would likely be corrected to be more inline with reality.

    e.g. The SAP client wants JRE 1.4.2_12 or 1.5.X

    Also, you may wish to read your own comment for comprehension.

    "...say that this effects.. JDK and JRE 5.0 Update 10 and earlier"

    you:
    $ java -version
    java version "1.5.0_08"

    *ahem* .. that's update 8, not 10. You're vulnerable. HAND, HTH.
    anonymous
  • java - write once, vulnerable everywhere

    Awesome. Cross platform vulnerability. In language terms, java's been in steady decline in recent year (syntax bloat etc) and now the VM's joined it.
    JAVA = Just Another Vulnerable Application
    anonymous
  • This hole was fixed along time ago

    This hole was fixed a long time ago, and it did not affect mobile devices as far as anyone knows. It only affected image processing code in J2SE.

    Please ZDNet, try to get your facts straight before you go out reporting sensationalist "The sky is falling" headlines like this.

    No, the sky is not falling. And this is also very old news. The hole has been fixed.
    anonymous
  • re: vulnerable everywhere

    Oh please... The only reason it is cross platform is because Java is cross platform. This is not a VM problem.

    You know what happens when libjpeg on Linux has a processing vulnerability for example? Every single application on every single Linux distribution using that version of libjpeg, is vulnerable as well.

    So this is no different than when a shared library or DLL has a vulnerability.
    anonymous