Digital Edition

SYS-CON.TV
Sun Fixes Security Vulnerability with Java Plug-in in JRE/SDK
Sun Fixes Security Vulnerability with Java Plug-in in JRE/SDK

Last week's discovery by Finnish security researcher Jouko Pynnonen and iDEFENSE Inc that the Sun Java Plugin capability in Java 2 Runtime Environment (JRE) 1.4.2_01, 1.4.2_04, and possibly earlier versions, does not properly restrict access between Javascript and Java applets during data transfer, which allows remote attackers to load unsafe classes and execute arbitrary code, has led to the release of a patch by Sun.

The issue, which affected SDK and JRE 1.4.2_05 and earlier, all 1.4.1 and 1.4.0 releases, and 1.3.1_12 and earlier, on the Windows, Linux, and Solaris platforms,has been resolved.

Although JDK and JRE 5.0 are not affected by this issue, this will be a relief to those who noticed that by its own admission, Sun conceded that "there are no reliable symptoms that would indicate the described issue has been exploited."

Sun today issued the following statement on this topic:

"Sun is aware that a possible security vulnerability in the Java Virtual Machine was found by Secunia, and has been collaborating with them on quickly addressing the issue. Although there have been no reported cases of this potential vulnerability being exploited by hackers, Sun takes this issue seriously, as it does all security issues. Sun began distributing the upgrade that addressed the vulnerability in early October to its customers, and this week posted the security alert and the updated version of the Java Runtime Environment that eradicates a possible vulnerability to the general public. Sun will not speculate on the vulnerability or scenarios under which it could possibly be exploited. The upgrade is available at the www.sun.com/developers Web site."

About Security News Desk
SYS-CON's Security News desk trawls the world of security for news of software, hardware, products, and services that seems likely to be of interest to infosec professionals and summarizes them for easy assimilation by busy IT managers and staff.

In order to post a comment you need to be registered and logged in.

Register | Sign-in

Reader Feedback: Page 1 of 1

It was nice that a patch was released before the exploit was widely known, but this is the first I have heard of the exploit.

I am sure this would have clouded over the launch of Solaris 10, but I would have appreciated knowing about this last month when the exploit was patched.

This exploit was limited to people who actually have a jdk installed. This limits the population of susceptible systems to people who develop with java or to people who use java based software which uses a recent java spec - a fairly small group




ADS BY GOOGLE
Subscribe to the World's Most Powerful Newsletters

ADS BY GOOGLE

Coca-Cola’s Google powered digital signage system lays the groundwork for a more valuable connection...
In his keynote at 18th Cloud Expo, Andrew Keys, Co-Founder of ConsenSys Enterprise, provided an over...
"As we've gone out into the public cloud we've seen that over time we may have lost a few things - w...
In his session at 21st Cloud Expo, Michael Burley, a Senior Business Development Executive in IT Ser...
You know you need the cloud, but you’re hesitant to simply dump everything at Amazon since you know ...
"Since we launched LinuxONE we learned a lot from our customers. More than anything what they respon...
Is advanced scheduling in Kubernetes achievable?Yes, however, how do you properly accommodate every ...
Sanjeev Sharma Joins June 5-7, 2018 @DevOpsSummit at @Cloud Expo New York Faculty. Sanjeev Sharma is...
The need for greater agility and scalability necessitated the digital transformation in the form of ...
As DevOps methodologies expand their reach across the enterprise, organizations face the daunting ch...
While some developers care passionately about how data centers and clouds are architected, for most,...
DevOps is under attack because developers don’t want to mess with infrastructure. They will happily ...
We are given a desktop platform with Java 8 or Java 9 installed and seek to find a way to deploy hig...
"I focus on what we are calling CAST Highlight, which is our SaaS application portfolio analysis too...
"Cloud4U builds software services that help people build DevOps platforms for cloud-based software a...
The question before companies today is not whether to become intelligent, it’s a question of how and...
Kubernetes is an open source system for automating deployment, scaling, and management of containeri...
DevOps is often described as a combination of technology and culture. Without both, DevOps isn't com...
As many know, the first generation of Cloud Management Platform (CMP) solutions were designed for ma...
DevOps is often described as a combination of technology and culture. Without both, DevOps isn't com...