Sun Repairs Numerous Vulnerabilities of Java
On October 3, 2007, Sun Microsystems Inc. repaired 11 vulnerabilities in the Solaris, Linux and Windows version of the JRE (Java Runtime Environment) and Java Web Start. Further, the list also consists of those vulnerabilities which were labeled 'critical' by the outside researchers.
The fixes to JRE 1.3.1, 1.4.2, 5.0 and 6.0 plug holes that the hackers/attackers can access to violate the restrictions of security, manipulate data, compromise an unpatched machine or reveal sensitive data. As Java has planned to attack on cyber crooks, it is recommended not to put off installing this update. The estimation of Sun discloses that the program is downloaded on more than 600 Million PCs globally.
Sun claims in most of the security advisories that out of the bugs of JRE, there are two, which allow attack, code from harmful Websites to create connections of network other than the targeted PC. As per a paper by many researchers of Stanford University, a crucial consequence found by Sun was the circumvented firewalls.
Moreover, the others are equally dangerous. A total of six vulnerabilities in Java Web Start can permit an unknown application to read and write local files, use the cache of Java Web Start and copy files. As a result, the application will find out what all applications are downloaded on the PC.
The CTO of security company Secunia (which issued its own alert after analyzing the vulnerabilities), Tom Kristensen, said that the applications of Java should operate inside a sandbox, but here, there is no sandbox because they can easily break out of it and carry out things which are strictly condemned, as per the reports of Internetnews.com on October 4, 2007.
Tom added that from the description of Sun, it has not been clearly explained about any particular restrictions on what the harmful code will do once it enters the network. He also said that probably there are restrictions which they are not aware, but not based on what is present here.
In nutshell, the suggestion is get it fixed as soon as possible. Tom claimed one should not hesitate to go with this one as Java possess an automatic update mechanism but he suggested that the users should conduct a manual update to confirm that they have the latest version.
Related article: Some Suggestions to Deter ‘Windows Rot’
» SPAMfighter News - 22-10-2007