Critical Java Bug Targets Java Virtual Machine
By Ian Betteridge | Posted 2004-11-23

A highly critical vulnerability in Sun Microsystems Inc.'s Java plug-in has been discovered by a Finnish security consultant. The vulnerability could potentially allow a Web page to turn off Java's security feature and execute malicious code on a compromi
A highly critical vulnerability in Sun Microsystems Inc.'s Java plug-in has been discovered by a Finnish security consultant. The vulnerability could potentially allow a Web page to turn off Java's security feature and execute malicious code on a compromised machine.The vulnerability affects JRE (Java Runtime Environment) Versions 1.4.2_05 and prior, Versions 1.4.1 and 1.4.0, and Version 1.3.1_12 and prior, running on Windows, Solaris and Linux. JRE Versions 1.4.2_06 and 1.3.1_13 and later are unaffected, and Sun recommends that all users upgrade their Java installations as soon as possible in order to avoid this vulnerability. Third-party JVMs (Java Virtual Machines), such as Microsoft Corp.'s, are not affected.
The bug, discovered by Finnish security consultant Jouko Pynnonen and detailed on Sun's Web site, allows a malicious user to create a Web page that uses JavaScript to transfer objects to an untrusted Java applet for some private classes used internally by the Java Virtual Machine. This could be used to turn off Java's security system, disabling the "sandbox" mechanism that should prevent untrusted applets from gaining access to the system.
According to security specialist iDefense Inc., which coordinated the release of the issue, this ability to compromise the sandbox is what makes this issue stand out. iDefense Director Michael Sutton said that "normally, you should not be able to access anything outside the sandbox, and this vulnerability allows you to do so."
Check out eWEEK.com's for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer's Weblog.
What Partners Need to Know About HP, ...
In the channel, HP, Inc. is a storied vendor that has relationships...Watch Now