Explore the latest news and trends  

Sign up for our weekly security newsletter

Be the first to receive important updates on security


Sun Repairs Java Flaw in its GIF Images

Sun Microsystem's Java Runtime Environment encounters a flaw when it processes graphic formats or GIF images. But the company has designed a critical security patch to repair the vulnerability.

An anonymous researcher reported to TippingPoint's Zero Day Initiative (ZDI) that by accurately exploiting the flaw it is capable of permitting execution of code remotely on a victim's computer.

Sun ALERT 102760 has named the hole as a security flaw in creating GIF images in JavaScript that carries the chances of letting an un-trusted applet to enhance privileges. These could enable attackers to access local files, read and write them, or run applications on the victim's PC. The vulnerability arises from a buffer overflow in the manner Java works on GIF images.

An advisory by Sun warns that an applet is likely to grant itself with the ability to read and write local files and even execute applications on the computer with the user gaining privileges to run the un-trusted applet. The exploitation of this vulnerability is possible only when the user visits a malicious website.

By setting the image width in an image block of a legitimate GIF file to zero, the Java runtime can allocate the assigned size but then copy all information to insufficiently allocated memory chunk, explained ZDI in its advisory. The overflow leads to defacing multiple pointers, at least one, which later allows installing an arbitrary code.

The JRE contains the Java Virtual Machine and executables and files that support the program. It also contains software that stops applets from creating trouble on the system as a whole.

Sun has found the flaw to affect versions of the JRE operating on Windows, Linux and Solaris. The Sun advisory points the specific updates, vulnerable to the flaw. These are JDK and JRE5.0 Update 9 and earlier, DK and JRE1.4.2_12 and earlier, and SDK and JRE 1.3.1_18.

Sun says the biggest problem is that the vulnerability doesn't produce any alert symptoms of the exploit to the users. So far there has been no report of exploitation of the earlier unrevealed vulnerability while Sun has by now updated all affected versions.

Related article: Some Suggestions to Deter ‘Windows Rot’

» SPAMfighter News - 1/24/2007

3 simple steps to update drivers on your Windows PCSlow PC? Optimize your Slow PC with SLOW-PCfighter!Email Cluttered with Spam? Free Spam Filter!

Dear Reader

We are happy to see you are reading our IT Security News.

We do believe, that the foundation for a good work environment starts with fast, secure and high performing computers. If you agree, then you should take a look at our Business Solutions to Spam Filter & Antivirus for even the latest version of Exchange Servers - your colleagues will appreciate it!

Go back to previous page