UPDATED: Security researchers are calling attention to what they called a “fairly significant” vulnerability in Sun Microsystems’
Java virtual machine
According to iDefense, the vulnerability targets the internal packages within Sun’s JVM on certain versions of Java 2, Standard Edition (J2SE) 1.4.2 running on the Unix and Windows platform with Internet Explorer (IE), Mozilla and Firefox. The JVM
Sun did not comment specifically on the vulnerability, but issued a statement.
“First, we would point out that there have been no reported attacks that exploit this vulnerability,” Sun said in its announcement. “Secondly, we would note that as of 3 pm ET this afternoon, the latest version of the J2SE JRE will also be available on the java.com site.”
With the JVM breached, the attacker has access to the user’s network and gives them privileges to access, download, upload or execute files within the user’s PC or workstation.
Officials at the security outfit confirmed its existence on J2SE 1.4.2_01 and J2SE 1.4.2_04 and suspect it resides in other builds of the Java technology. Sun was notified of the exploit June 29 and issued an update to the affected software with build 6, published on the Sun Web site Oct. 11, according to officials at the software company.
According to Michael Sutton, iDefense director, what makes this
the information coming from the issuer before it could execute.
The exploit itself is pretty trivial, it’s not very detailed, it’s just a flaw in the implementation.”
While iDefense experts say the target user must be running a browser on top of the JVM for the exploit to happen, it’s possible to create a cross-platform, cross-browser exploit that would give the attacker the same privileges as the victim.