- Related Stories
-
Java flaws open door to hackers
June 14, 2005 -
Sun looks to sweeten Java
March 15, 2005
The flaws are "highly critical," according to an advisory from Secunia posted Tuesday. Vulnerabilities that get that ranking--one notch below "extremely critical," the security monitoring company's most severe rating--typically open the door to a remote intruder and to full compromise of the system.
All the flaws affect the Java Runtime Environment, or JRE, in computers loaded with Microsoft Windows, Linux or Sun's own Solaris operating system. This is the software many computer owners have on their system to run Java applications. The bugs could allow an intruder to use a Java application to inappropriately read and write files, or to run code on a victim's computer, Sun said in three separate security advisories released late Monday.
The vulnerabilities also affect specific versions of the Sun Java Software Development Kit (SDK) and Java Development Kit (JDK), according to those advisories.
The French Security Incident Response Team, or FrSIRT, rated the issues "critical" in an alert posted Tuesday.
There have been no reported cases of the flaws being exploited by hackers, Sun said in a statement.
Three of the bugs lie in application programming interface, or API, parts of the Java Runtime Environment. Another vulnerability lies in the Java Management Extensions implementation in the software. The fifth flaw is in an unspecified part of the JRE.
Sun, based in Santa Clara, Calif., is urging people to install updated software to protect their systems. It has released updates to address the issues, including JDK and JRE 5.0 Update 4, which was actually delivered on June 23. A newer version, Update 5, was issued in September, but Sun would not say if additional security problems were fixed in that release. The software can be downloaded from the Sun Java Web site.
See more CNET content tagged:
JRE,
Sun Microsystems Inc.,
Java,
Java development,
Sun Solaris
If you understood what Java is, and particularly the nature of the bugs to which this report corresponds, you understand how it isn't possible to set up honey pots to trap these types of algorithm based issues.
As anybody can license and implement their own Java implementation, it is up to each JRE/JDK vendor to ensure the security of their products, subject to the battery of tests and checks specified as part of the license.
While it would be folly to assume any software is perfectly secure, Java's security model has been checked by many experts, as anyone can review the code - indeed I suspect this is how these particular problems were found. This model has thus far resulted in very very few security alerts. (Actually, can anyone think of a comparible technology which has as few or fewer security alerts as Java?)
> "Whats Sun's point of contact if users have information to provide?"
For a programming bug like this I'd be tempted to (also?) check out their bug/issue reporting site. This is likely to bring the issue to the maximum number of eyeballs in the shortest time.
> "How big a hack do they call no reported hackers exploiting? Do they mean corporations getting hax0red or are they saying, no single home user has been compromised?"
Presumably it means that no software is circulating which is known to use these exploits. The problem was fixed long before anyone exploited it.
Java is not perfect, but like most software companies not named Microsoft, they are generally fixed quickly and without ever being exploited.
- Write once........
-
by SqlserverCode
November 30, 2005 6:57 AM PST
- Write once, infect everywhere
-
Reply to this comment
-
(5 Comments)http://otherthingsnow.blogspot.com