February 8, 2006 10:29 AM PST

Sun issues patches for critical Java flaws

Related Stories

Java flaws open door to hackers

June 14, 2005

Sun looks to sweeten Java

March 15, 2005
Sun Microsystems issued a patch Tuesday to address seven "highly critical" flaws in its Java Runtime Environment that could allow a malicious attacker to gain remote control over a user's system.

The flaws affect systems running on Windows, Solaris and Linux that are using certain versions of Sun's Java Development Kit 1.5, Software Development Kit (SDK) 1.3 and 1.4, and JRE 1.3, 1.4, 1.5 and 5.0, or earlier, according to an advisory issued by Secunia, which rated the flaws as "highly critical."

Sun's JRE software, especially version 1.4, is found on a number of computers and allows users to run Java applications, which operate in a "sandbox"--a separate area cordoned off from the rest of the user's system.

These latest flaws are found in one of the JRE's application programming interfaces, or API, which communicate between the sandbox and the rest of the system. The flaws could be exploited by attackers to gain remote access to a user's Java applications, allowing them to read and write files or execute code.

"An applet may grant itself permissions to read and write local files or execute local applications that are accessible to the user running the untrusted applet," according to Sun's advisory.

Sun's security patch is its latest involving JRE. Last November, Sun issued a fix for five vulnerabilities in its JRE, of which three also dealt with the API.

See more CNET content tagged:
JRE, Sun Microsystems Inc., flaw, API, Java

6 comments

Join the conversation!
Add your comment
Flaw in Java!!!
I thought flaw and bugs are reserved for MS products. How could Java running on linux ever have a security hole, isn't the OS bullet proof??
Posted by FutureGuy (742 comments )
Reply Link Flag
Hate to burst your bubble
Contrary to most people's assumptions that Windows is the only OS with vulnerabilities, the "beloved" Linux is just as ripe for exploiting. The problem is that it doesn't get nearly the press simply because it is only used by a fraction of the population. Alsways remember: Linux is written BY programmers FOR programmers.

Some useful statistics that help put it into perspective:

Reported Security vulnerabilities:
Windows XP: 2 in 2006, 45 in 2005
Fedora: 15 in 2006, 84 in 2005
RedHat Enterprise Linux AS 4: 11 in 2006, 136 in 2005
Mozilla Firefox 1.x: 1 in 2006, 22 in 2005
Microsoft Internet Explorer 6.x: 0 in 2006, 17 in 2005

That is but a mere taste to illustrate that it is the Open Source community, NOT Microsoft (contrary to popular believe) that has the higher number of reported security vulnerabilities. Thes stats are taken from <a class="jive-link-external" href="http://secunia.com" target="_newWindow">http://secunia.com</a> (sorry...not affiliated with Microsoft as you were hoping).
Posted by An0nymus (2 comments )
Link Flag
Yes any OS and VM has flaws.
Flaws aren't just the domain of MS products as viruses and worms have been masquerading around PC's with the MacOS 10 OS for a few weeks.

Extremely critical Mac OS X zero-day exploit released
<a class="jive-link-external" href="http://blogs.zdnet.com/Ou/index.php?p=163&#38;tag=nl.e550" target="_newWindow">http://blogs.zdnet.com/Ou/index.php?p=163&#38;tag=nl.e550</a>
Posted by msims (66 comments )
Link Flag
Sick Of Constant Patching
Just a few weeks ago I had to spend my Saturday removing the previous version of Java and installing 1.5. I had to use Registry Mechanic to completely remove every trace because Java's own uninstall leaves all kinds of things from previous versions behind in the Windows registry. Since I have 2 computers, I had to do all this work twice. Now Sun tells me that unless I do this whole rigamarole over again my computer is at risk. What a crock of ****!

What about all those average computer users out there who don't even have a clue as to what Java is, or why they need to upgrade. After all, Java is no longer a Windows component, so it does not show up in the Windows Security Center critical notifications alerts. Yes my friends, something is seriously hosed with the entire Wintel concept if people of modest education cannot even operate a basic input-output device like this safely and securely without running it light a maximum security prison.
Posted by Stating (869 comments )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.