July 13, 2007 5:41 AM PDT
Sun says Java flaw has been patched
- Related Stories
Sun tries again with consumer-flavored JavaMay 7, 2007
Sun patches critical JRE security flawsJanuary 18, 2007
Sun promises to open-source JavaMay 16, 2006
Java inches closer to open sourceMay 16, 2006
Sun program designed to spread Java softwareMay 15, 2006
Sun to make Java more Linux-friendlyMay 4, 2006
Apple issues Java security updateApril 19, 2006
Sun issues patches for critical Java flawsFebruary 8, 2006
A news story from ZDNet Australia based on a CERT advisory identified vulnerabilities within Sun's Java Runtime Environment. However, Sun representatives said the company has already patched the flaws and that there are no known exploits circulating in the wild.
Sun on Friday released a new version of Java SE 6 Update 2 that it says addresses all current vulnerabilities.
The Australian CERT advisory published Thursday, an update of an original advisory posted on June 4, summarizes two Java Runtime Environment vulnerabilities and also provides links to Sun's patches.
The Java Runtime Environment vulnerabilities cited in the article were first reported by Chris Evans of Google's security team in October. He reported them to Sun, then to the public on May 15.
One flaw demonstrated in Evans' advisory shows an integer overflow in a JPEG image. Documented in CVE-2006-2788, this affects Sun Java Development Kit (JDK) before versions 1.5.0_11-b03, 1.6.x and 1.6.0_01-b06.
A second demo shows a local file being opened via the BMP image parser. This was documented in CVE-2006-2789 and affects Sun Java Development Kit (JDK) before versions 1.5.0_11-b03, 1.6.x and 1.6.0_01-b06 on Unix and Linux systems.
Sun spokeswoman Jacki DeCoster recommends that consumers go to Java.com and download Java SE 6 update 2, installing the latest version of the Java Runtime Environment. Additional information about the specific patches related to these vulnerabilities can be found on the company's SunSolve site.