|
Clouds of Java Trouble for Sun
Sun Microsystems has disclosed a serious vulnerability in the Java Plug-in technology within the Software Developers' Kit (SDK) and the Java Run-time Environment (JRE) that allows attackers to bypass the Java sandbox and Java applet security.
A flaw in Sun Microsystems' plug-in for running Java on a variety of browsers
and operating systems could allow a virus to spread through Microsoft Windows
and Linux PCs.
The flaw is due to the access controls of the Java-to-Javascript data exchange in Web browsers that use Plug-in technology, and lets Javascript load an unsafe class. As a result, a remote attacker could execute hostile applets to access, download, upload or execute arbitrary files, as well as access the Java Virtual Machine user's network.
According to Sun's advisory, "A vulnerability in the Java Plug-in may allow an untrusted applet to escalate privileges, through JavaScript calling into Java code, including reading and writing files with the privileges of the user running the applet".
Security information provider Secunia posted information about the flaw in an advisory that rated it a "highly critical" threat.
The episode is a big embarrassment for Sun, as Java was designed to be secure. The technology
involved is used by Web developers to create small programs, or applets, that can run on any operating system. Java is designed to run programs downloaded from the Internet on various operating systems safely, without causing any harm on the P, using the "sandbox" that cuts off Java applets from the rest of the system.
Sun's CEO, Scott McNealy, only recently asked the following question to emphasize the secure nature of Java: "When was the last time you heard of a Java virus?" Sorry
Scott but you have a major boo boo on your hands.
Sun says there is no workaround, and recommends that users of SDK and its JRE subset move to versions 1.4.2_06 and later or 1.3.1_13 and later. And in a statement disclosing the vulnerability stated: "Sun is aware that a possible security vulnerability in the Java Virtual Machine was found by Secunia, and has been collaborating with them on quickly addressing the issue," the statement said. "Although there have been no reported cases of this potential vulnerability being exploited by hackers, Sun takes this issue seriously, as it does all security issues".
A flaw-free version of the JVM software is available on Sun's Web site.
http://sunsolve.sun.com/search/document.do?assetkey=1-26-57591-1
http://java.sun.com/j2se/1.4.2/download.html
More on IT Security & Java Resources:
IT
Security Resources
More
Security Resources & IT Security Articles
Computer
and Internet Fraud
IT
Security certifications & Career
Internet
Policy Guide
The World of
Java
Get IT Updates, Tips, Career guides
in your FREE Newsletter.
Your Guide to taking the Right IT Career Decisions
Page Top
|
Get IT Career tips,
Certification guides in your FREE newsletter. Plus regular news in Nigeria's IT
& Telecoms sector.
ICT NEWS DECEMBER
2004:
* IBM SELLS ITS PC
BUSINESS
* SUCCESS AT
PREMIER VSAT TRAINING EVENT
* ORACLE BUYS
PEOPLESOFT FOR $10.3 BILLION
* NETWORK
PROFESSIONALS WANTED FOR NETWORK+ BETA
* GOVERNMENT
APPROVES NIGERIA'S TECHNOLOGY VALLEY
* PROJECT
MANAGEMENT -Fortune Magazine calls it, "Career Number 1."
* CLOUDS OF
JAVA TROUBLE FOR SUN
* VODACOM ATTEMPTS A
COMEBACK
* LINUX IS
LEADING SERVER OS. IBM IS LEADING SERVER VENDOR
* NCC KNOCKS
TELECOM PROVIDERS
* MICROSOFT
RELEASES FREE SQL MANAGEMENT TOOL
* PROJECT
MANAGEMENT, WIRELESS, CYBERCAFE & TELECOM TRAINING
|
