Sun Microsystems has fixed five security bugs in Java that expose computers running Windows, Linux and Solaris to hacker attack.
The flaws are "highly critical," according to an advisory from Secunia posted Tuesday. Vulnerabilities that get that ranking--one notch below "extremely critical," the security monitoring company's most severe rating--typically open the door to a remote intruder and to full compromise of the system.
All the flaws affect the Java Runtime Environment, or JRE, in computers loaded with Microsoft Windows, Linux or Sun's own Solaris operating system. This is the software many computer owners have on their system to run Java applications. The bugs could allow an intruder to use a Java application to inappropriately read and write files, or to run code on a victim's computer, Sun said in three separate security advisories released late Monday.
The vulnerabilities also affect specific versions of the Sun Java Software Development Kit (SDK) and Java Development Kit (JDK), according to those advisories.
The French Security Incident Response Team, or FrSIRT, rated the issues "critical" in an alert posted Tuesday.
There have been no reported cases of the flaws being exploited by hackers, Sun said in a statement.
Sun, based in Santa Clara, Calif., is urging people to install updated software to protect their systems. It has released updates to address the issues, including JDK and JRE 5.0 Update 4, which was actually delivered on June 23. A newer version, Update 5, was issued in September, but Sun would not say if additional security problems were fixed in that release. The software can be downloaded from the Sun Java Web site.
How good is Sun's intelligence infrastructure for detecting hacker actvitiy? Do they have Honey's or are they hoping for information to be brought forward from security intelligence and research centers. Whats Sun's point of contact if users have information to provide? How big a hack do they call no reported hackers exploiting? Do they mean corporations getting hax0red or are they saying, no single home user has been compromised? The mind boggles. I'm sure if I poke around at <a class="jive-link-external" href="http://www.sun.com/software/security/" target="_newWindow">http://www.sun.com/software/security/</a> i'll get some answers.
> "How good is Sun's intelligence infrastructure for detecting hacker actvitiy? Do they have Honey's or are they hoping for information to be brought forward from security intelligence and research centers."
If you understood what Java is, and particularly the nature of the bugs to which this report corresponds, you understand how it isn't possible to set up honey pots to trap these types of algorithm based issues.
As anybody can license and implement their own Java implementation, it is up to each JRE/JDK vendor to ensure the security of their products, subject to the battery of tests and checks specified as part of the license.
While it would be folly to assume any software is perfectly secure, Java's security model has been checked by many experts, as anyone can review the code - indeed I suspect this is how these particular problems were found. This model has thus far resulted in very very few security alerts. (Actually, can anyone think of a comparible technology which has as few or fewer security alerts as Java?)
> "Whats Sun's point of contact if users have information to provide?"
For a programming bug like this I'd be tempted to (also?) check out their bug/issue reporting site. This is likely to bring the issue to the maximum number of eyeballs in the shortest time.
> "How big a hack do they call no reported hackers exploiting? Do they mean corporations getting hax0red or are they saying, no single home user has been compromised?"
Presumably it means that no software is circulating which is known to use these exploits. The problem was fixed long before anyone exploited it.
Google creates an animated doodle that features a boy, a girl, Google's search engine, and a jump rope. But might there be darker, more analytical, more troubling interpretations to this tale?
The Silicon Valley online payments startup grew by 1,000 percent last year and is hopeful it can repeat that level of growth this year. To do that, it's had to move away from its early friends-and-family roots and embrace small businesses.
Chamtech's spray-on antenna uses a nano material to provide a low-power boost to antenna range. The wireless-in-a-can product may some day bring an end to unsightly cell towers.
EnerG2 opens a plant to make an engineered carbon that will improve performance of energy storage devices and make storage for start-stop hybrid cars less expensive.
If you understood what Java is, and particularly the nature of the bugs to which this report corresponds, you understand how it isn't possible to set up honey pots to trap these types of algorithm based issues.
As anybody can license and implement their own Java implementation, it is up to each JRE/JDK vendor to ensure the security of their products, subject to the battery of tests and checks specified as part of the license.
While it would be folly to assume any software is perfectly secure, Java's security model has been checked by many experts, as anyone can review the code - indeed I suspect this is how these particular problems were found. This model has thus far resulted in very very few security alerts. (Actually, can anyone think of a comparible technology which has as few or fewer security alerts as Java?)
> "Whats Sun's point of contact if users have information to provide?"
For a programming bug like this I'd be tempted to (also?) check out their bug/issue reporting site. This is likely to bring the issue to the maximum number of eyeballs in the shortest time.
> "How big a hack do they call no reported hackers exploiting? Do they mean corporations getting hax0red or are they saying, no single home user has been compromised?"
Presumably it means that no software is circulating which is known to use these exploits. The problem was fixed long before anyone exploited it.
Java is not perfect, but like most software companies not named Microsoft, they are generally fixed quickly and without ever being exploited.
<a class="jive-link-external" href="http://otherthingsnow.blogspot.com" target="_newWindow">http://otherthingsnow.blogspot.com</a>