Sun issues patches for critical Java flaws

Sun Microsystems issued a patch Tuesday to address seven "highly critical" flaws in its Java Runtime Environment that could allow a malicious attacker to gain remote control over a user's system.

The flaws affect systems running on Windows, Solaris and Linux that are using certain versions of Sun's Java Development Kit 1.5, Software Development Kit (SDK) 1.3 and 1.4, and JRE 1.3, 1.4, 1.5 and 5.0, or earlier, according to an advisory issued by Secunia, which rated the flaws as "highly critical."

Sun's JRE software, especially version 1.4, is found on a number of computers and allows users to run Java applications, which operate in a "sandbox"--a separate area cordoned off from the rest of the user's system.

These latest flaws are found in one of the JRE's application programming interfaces, or API, which communicate between the sandbox and the rest of the system. The flaws could be exploited by attackers to gain remote access to a user's Java applications, allowing them to read and write files or execute code.

"An applet may grant itself permissions to read and write local files or execute local applications that are accessible to the user running the untrusted applet," according to Sun's advisory.

Sun's security patch is its latest involving JRE. Last November, Sun issued a fix for five vulnerabilities in its JRE, of which three also dealt with the API.

[FutureGuy]

Flaw in Java!!!

I thought flaw and bugs are reserved for MS products. How could Java running on linux ever have a security hole, isn't the OS bullet proof??

[An0nymus]

Hate to burst your bubble

Contrary to most people's assumptions that Windows is the only OS with vulnerabilities, the "beloved" Linux is just as ripe for exploiting. The problem is that it doesn't get nearly the press simply because it is only used by a fraction of the population. Alsways remember: Linux is written BY programmers FOR programmers.

Some useful statistics that help put it into perspective:

Reported Security vulnerabilities:
Windows XP: 2 in 2006, 45 in 2005
Fedora: 15 in 2006, 84 in 2005
RedHat Enterprise Linux AS 4: 11 in 2006, 136 in 2005
Mozilla Firefox 1.x: 1 in 2006, 22 in 2005
Microsoft Internet Explorer 6.x: 0 in 2006, 17 in 2005

That is but a mere taste to illustrate that it is the Open Source community, NOT Microsoft (contrary to popular believe) that has the higher number of reported security vulnerabilities. Thes stats are taken from http://secunia.com (sorry...not affiliated with Microsoft as you were hoping).

[msims]

Yes any OS and VM has flaws.

Flaws aren't just the domain of MS products as viruses and worms have been masquerading around PC's with the MacOS 10 OS for a few weeks.

Extremely critical Mac OS X zero-day exploit released
http://blogs.zdnet.com/Ou/index.php?p=163&tag=nl.e550

[Stating]

Sick Of Constant Patching

Just a few weeks ago I had to spend my Saturday removing the previous version of Java and installing 1.5. I had to use Registry Mechanic to completely remove every trace because Java's own uninstall leaves all kinds of things from previous versions behind in the Windows registry. Since I have 2 computers, I had to do all this work twice. Now Sun tells me that unless I do this whole rigamarole over again my computer is at risk. What a crock of ****!

What about all those average computer users out there who don't even have a clue as to what Java is, or why they need to upgrade. After all, Java is no longer a Windows component, so it does not show up in the Windows Security Center critical notifications alerts. Yes my friends, something is seriously hosed with the entire Wintel concept if people of modest education cannot even operate a basic input-output device like this safely and securely without running it light a maximum security prison.