Sun says Java flaw has been patched

Sun Microsystems says a Java security threat, the subject of an earlier Australian report, has been patched.

A news story from ZDNet Australia based on a CERT advisory identified vulnerabilities within Sun's Java Runtime Environment. However, Sun representatives said the company has already patched the flaws and that there are no known exploits circulating in the wild.

Sun on Friday released a new version of Java SE 6 Update 2 that it says addresses all current vulnerabilities.

The Australian CERT advisory published Thursday, an update of an original advisory posted on June 4, summarizes two Java Runtime Environment vulnerabilities and also provides links to Sun's patches.

The Java Runtime Environment vulnerabilities cited in the article were first reported by Chris Evans of Google's security team in October. He reported them to Sun, then to the public on May 15.

One flaw demonstrated in Evans' advisory shows an integer overflow in a JPEG image. Documented in CVE-2006-2788, this affects Sun Java Development Kit (JDK) before versions 1.5.0_11-b03, 1.6.x and 1.6.0_01-b06.

A second demo shows a local file being opened via the BMP image parser. This was documented in CVE-2006-2789 and affects Sun Java Development Kit (JDK) before versions 1.5.0_11-b03, 1.6.x and 1.6.0_01-b06 on Unix and Linux systems.

Sun spokeswoman Jacki DeCoster recommends that consumers go to Java.com and download Java SE 6 update 2, installing the latest version of the Java Runtime Environment. Additional information about the specific patches related to these vulnerabilities can be found on the company's SunSolve site.