Updates for Java eliminate many security holes
Sun Microsystems has issued updates for Java to eliminate many errors and vulnerabilities in the Java Development Kit (JDK) and the Java Runtime Environment (JRE). These include DoS vulnerabilities, buffer overflows and other errors that could cause a crash or allow a crafted applet to access certain resources, the filing system, or even the entire computer. Some of the errors are in Java Web Start, some in the Java Management Extensions (JMX) Management Agent, while others are in the functions that process XML data.
However, not all of the errors listed are contained in all versions. Users will have difficulty deciding which versions are actually affected by what, because Sun has divided its explanations of the individual problems over eight security advisories. Basically, all the errors listed are eliminated in the latest versions; JDK and JRE 6 Update 7, JDK and JRE 5.0 Update 16, SDK and J2SE 1.4.2_18 and SDK and J2SE 1.3.1_23.
The three older versions of Java – 1.3.1, 1.4.2 and 5 – have either entered the technology End of Life (EOL) transit period, or have already exceeded it. For 1.3.1, for example, there are only updates for Solaris. Support for 1.4.2 will end on 30 October 2008, and for version (1.)5 on 30 October 2009. After that, there will be no further security updates. So users should consider switching over immediately to version 6 – which is really 1.6. Since the Java installation programs don't uninstall older versions of the software, users have to remove them manually, by for example, using system control under Windows.
- Security Vulnerabilities in the Java Runtime Environment related to the processing of XML Data, vulnerability report from Sun
- A Security Vulnerability with the processing of fonts in the Java Runtime Environment may allow Elevation of Privileges, vulnerability report from Sun
- Security Vulnerabilities in the Java Runtime Environment Scripting Language Support, vulnerability report from Sun
- Multiple Security Vulnerabilities in Java Web Start may allow Privileges to be Elevated, vulnerability report from Sun
- Security Vulnerability in Java Management Extensions (JMX), vulnerability report from Sun
- Security Vulnerability in JDK/JRE Secure Static Versioning, vulnerability report from Sun
- Security Vulnerability in the Java Runtime Environment Virtual Machine may allow an untrusted Application or Applet to Elevate Privileges, vulnerability report from Sun
- Security Vulnerabilities in the Java Runtime Environment may allow Same Origin Policy to be Bypassed, vulnerability report from Sun