In association with heise online

05 October 2007, 10:59

Sun fixes multiple vulnerabilities in Java

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Sun has published four security advisories detailing security vulnerabilities in its Java Runtime Environment (JRE). A bug in applet caching can enable an untrusted applet to establish network connections with systems or servers other than the server from which it has been downloaded, contrary to normal Java security policies. In addition, untrusted applets can open a window sufficiently large that JRE warning messages are not visible to the user. Fraudsters could exploit this to fool users into accepting specific content as trusted.

Malicious applets can also obtain access to a system via drag and drop. However, Sun point out that to achieve this the applet would have to persuade the user to drag files from the applet window into an application with write privileges.

The three vulnerabilities described are present in JDK and JRE 6 Updates 2 and earlier, JDK and JRE 5.0 Updates 12 and earlier, SDK and JRE 1.4.2_15 and earlier and SDK and JRE 1.3.1_20 and earlier. The bugs are fixed in JDK and JRE 6 Update 3, JDK and JRE 5.0 Update 13 and SDK and JRE 1.4.2_16. Version 1.3.1_21 of SDK and JRE 1.3.1 should be released shortly.

In addition, Sun has also reported three vulnerabilities in Java Web Start which enable applets to obtain access to local files and applications. All three bugs are present in the above versions, however not all of the bugs are present in each version. Only SDK and JRE 1.3.1 are not affected - these versions do not include Web Start. These vulnerabilities are likewise fixed in the latest versions. It should be noted that Java updates usually install a completely new version without deleting the previous version. Users must therefore uninstall the old, vulnerable version manually.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit