Critical Java Bug Targets Java Virtual Machine

A highly critical vulnerability in Sun Microsystems Inc.'s Java plug-in has been discovered by a Finnish security consultant. The vulnerability could potentially allow a Web page to turn off Java's security feature and execute malicious code on a compromi

A highly critical vulnerability in Sun Microsystems Inc.'s Java plug-in has been discovered by a Finnish security consultant. The vulnerability could potentially allow a Web page to turn off Java's security feature and execute malicious code on a compromised machine.

The vulnerability affects JRE (Java Runtime Environment) Versions 1.4.2_05 and prior, Versions 1.4.1 and 1.4.0, and Version 1.3.1_12 and prior, running on Windows, Solaris and Linux. JRE Versions 1.4.2_06 and 1.3.1_13 and later are unaffected, and Sun recommends that all users upgrade their Java installations as soon as possible in order to avoid this vulnerability. Third-party JVMs (Java Virtual Machines), such as Microsoft Corp.'s, are not affected.

The bug, discovered by Finnish security consultant Jouko Pynnonen and detailed on Sun's Web site, allows a malicious user to create a Web page that uses JavaScript to transfer objects to an untrusted Java applet for some private classes used internally by the Java Virtual Machine. This could be used to turn off Java's security system, disabling the "sandbox" mechanism that should prevent untrusted applets from gaining access to the system.

Once the sandbox restrictions are disabled, a malicious Java applet could be used to compromise the system. The applet would have the same privileges as the logged-in user, which would mean that a malicious applet could have access to the local machine and any connected networks. In theory, a malicious applet could go on to download and install other applications as well.

According to security specialist iDefense Inc., which coordinated the release of the issue, this ability to compromise the sandbox is what makes this issue stand out. iDefense Director Michael Sutton said that "normally, you should not be able to access anything outside the sandbox, and this vulnerability allows you to do so."

Check out eWEEK.com's for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer's Weblog.