Sun Fixes Severe Java Vulnerabilities
Holes in Java code could let malicious apps access your file system or your network without your knowledge.
Security experts are warning anyone running Java on their computer needs to upgrade their software immediately, regardless of platform. The reason? Sun just plugged several severe vulnerabilities in the Java Runtime Environment that could leave computers open to severe compromise.
All told, Sun has fixed 11 vulnerabilities in the past few days. Because these are part of the Java Runtime and Java components, it covers all platforms that run Java. The full details are on Sun's security blog.
The vulnerabilities are across the board. They affect JDK and JRE 6 Update 2 and earlier, JDK and JRE 5.0 Update 12 and earlier, SDK and JRE 1.4.2_15 and earlier and SDK and JRE 1.3.1_20 and earlier. Sun has already posted fixes to all of the software for download.
The vulnerabilities are not to be taken lightly, either. The most severe of the problems makes it possible for a site hosting malicious code to gain access to an internal network, passing right through the firewall and security systems when a person unknowingly accesses a Web site hosting the malicious code.
This would allow the code to make connections to network services and machines inside the firewall, so once inside your network, the malicious code could go almost anywhere on the network and access anything. This could allow network resources not normally accessible via the Internet to be accessed or exploited.
What makes the vulnerability so dangerous is that security methods, like antivirus programs, might detect a Trojan (define) coming over the wire, but they won't see Java code as harmful. Nor would they find a Java applet probing the internal network as unusual either. So even security heuristics will miss it.
The others are just as dangerous. A total of six vulnerabilities in Java Web Start could allow an untrusted application to read and write local files, copy files or access the Java Web Start cache, which would in turn let the application determine what applications are installed on the machine.