Critical Java Bug Targets Java Virtual MachineBy Ian Betteridge | Posted 2004-11-23 Email Print
Re-Thinking HR: What Every CIO Needs to Know About Tomorrow's Workforce
A highly critical vulnerability in Sun Microsystems Inc.'s Java plug-in has been discovered by a Finnish security consultant. The vulnerability could potentially allow a Web page to turn off Java's security feature and execute malicious code on a compromiA highly critical vulnerability in Sun Microsystems Inc.'s Java plug-in has been discovered by a Finnish security consultant. The vulnerability could potentially allow a Web page to turn off Java's security feature and execute malicious code on a compromised machine.
The vulnerability affects JRE (Java Runtime Environment) Versions 1.4.2_05 and prior, Versions 1.4.1 and 1.4.0, and Version 1.3.1_12 and prior, running on Windows, Solaris and Linux. JRE Versions 1.4.2_06 and 1.3.1_13 and later are unaffected, and Sun recommends that all users upgrade their Java installations as soon as possible in order to avoid this vulnerability. Third-party JVMs (Java Virtual Machines), such as Microsoft Corp.'s, are not affected.
According to security specialist iDefense Inc., which coordinated the release of the issue, this ability to compromise the sandbox is what makes this issue stand out. iDefense Director Michael Sutton said that "normally, you should not be able to access anything outside the sandbox, and this vulnerability allows you to do so."
Check out eWEEK.com's for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer's Weblog.