In association with heise online

20 December 2006, 14:21

Sun provides details on security holes in Java

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

With a slight delay, Sun has released details regarding holes in Java that were closed in JDK 5.0 version 9 - this even though update 10 was recently released. Sun is thus sticking to its strategy of waiting to report errors until the software is at least one version number higher than the version in which the flaw was remedied.

Among other things, two buffer overflows have been resolved in the Java Runtime Environment (JRE) that allowed system resources to be accessed by non-trusted applets, which could then read, write, and execute arbitrary files with the user's rights. Two additional flaws in the serialization of JRE also allowed an applet to gain more rights. Finally, two weak points allow one applet to access the data of another applet. The flaws are found in the DK and JRE versions up to 1.4.2_12, with some even in 1.3.1_18. Updates (1.4.2_13 and 1.3.1_19) have also been made available for these flaws.

Those who have not yet updated their systems should take note of Sun's warnings to do so. Keep in mind, however, that Java updates generally require the installation of a completely new version before deleting the previous one. Users therefore have to uninstall the old, vulnerable version manually.

Also see:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit