RealTime IT News

Sun Plugs Highly Critical Java Vulnerability

Sun has officially announced that it has fixed a highly critical vulnerability in its Java Runtime Environment (JRE). The flaw was first reported to Sun six months ago, but the public's just finding out about it this week.

Sun ALERT 102760 has labeled the flaw as a security vulnerability in processing GIF images in Java that could possibly allow an untrusted applet to elevate privileges.

The flaw stems from a buffer overflow vulnerability in how Java processes GIF images.

"For example, an applet may grant itself permissions to read and write local files or execute local applications with the privileges of the user running the untrusted applet," Sun's advisory warns.

Sun has identified that the flaw affects versions of the JRE running on Windows, Solaris and Linux. The Sun advisory specifically notes that JDK and JRE 5.0 Update 9 and earlier, DK and JRE 1.4.2_12 and earlier, and SDK and JRE 1.3.1_18 and earlier are vulnerable to the flaw.

Perhaps the most troubling aspect of the vulnerability is that there aren't any specific symptoms to alert users that there has been an exploit, according to Sun. 3COM's Tipping Point division issued an advisory that notes, however, that user interaction is required to exploit this vulnerability because the target must visit a malicious Web site.

Tipping Point reported the flaw to Sun in June. There are no known public reports to date of the previously undisclosed vulnerability being exploited in the wild.

Co-coordinated public disclosure of the vulnerability occurred this week in tandem with the release of updated versions of Java, which fixes the vulnerability.

All affected versions have now have been updated by Sun.