Vulnerability in Sun's JRE 5.0
Sun has released a security advisory warning of a vulnerability in JDK and JRE 5.0 through which untrusted applets could access data from other applets. Attackers can use a specially manipulated web server to spy on information, particular if the user is visiting several web sites at once that employ applets. Some banks use Java applets for HBCI, for example.
Sun claims that the problem is related to a bug in the Swing library of the Java Runtime Environment (JRE) and exists in all versions up to and including update 7 for Solaris, Linux and Windows. The error is corrected starting with update 8; update 9 is the version currently being distributed. Users should check their Java version and update it where necessary – even if the automatic Java update is set by default to run in the background, this does not always mean that the version is fully up to date. The version can be determined through the command java -version.
Because Java updates generally install a completely new version without deleting the old one, users must manually delete the old, vulnerable versions. SDK and JRE 1.4.2_xx and prior as well as 1.3.1_xx and prior are not affected,
- # A Security Vulnerability in the Java Runtime Environment Swing Library may Allow an Untrusted Applet to Access Data in Other Applets, bug advisory from Sun