Free PC Diagnostics
Windows Boot Errors
Secure your PC
Link to us
Sun Corrects a Dozen Vulnerabilities in Java
5 November, 2009
§ These vulnerabilities affect: All versions of Sun Java Runtime Environment (JRE) and Java Development Kit (JDK) released before 4 November, running on Windows, Solaris, and Linux platforms
§ How an attacker exploits them: Multiple vectors of attack, including luring your users to a malicious web page containing specially crafted Java
§ Impact: Various results; in the worst case, an attacker can gain complete control of your computer
§ What to do: Install the appropriate JRE (or JDK) update as soon as possible
Java is a programming language (first implemented by Sun Microsystems) used most often to enhance web pages. Most operating systems today implement a Java interpreter to recognize and process Java code from websites and other sources. Sun's Java Runtime Environment (JRE) is one of the most popular Java interpreters currently used.
Yesterday, Secunia released a security alert warning of multiple vulnerabilities (around a dozen total) that affect all previous versions of Sun JRE (as well as Sun Java SDK) running on Windows, Solaris and Linux platforms. While the vulnerabilities differ quite a bit technically, an attacker can exploit many of them in a similar manner -- by enticing your users to a malicious web page containing specially crafted Java. In the worst case, if your users visit such a site, an attacker could leverage some of these Java flaws to execute attack code on your user's computer. If your user has local administrative privileges, the attacker could potentially leverage these flaws to gain complete control of that user's machine. Some of the remaining vulnerabilities allow an attacker to launch Denial of Service attacks or to elevate their privileges on your users' computer.
If you run a Solaris or Linux network, you probably know whether or not you use Sun JRE (in most cases, you do). However, if you manage a Windows network your status is less clear. In the past, Windows shipped with Microsoft's own Java interpreter, called Java Virtual Machine (MSJVM). Since earlier editions of IE use MSJVM to interpret Java applets, most Windows users who browse with IE aren't vulnerable to this flaw. Because of a legal conflict with Sun, Microsoft had to discontinue the use of MSJVM in its most recent versions of Windows. For instance, MSJVM doesn't ship with Windows Server 2003 or versions of Windows XP that come prepackaged with SP1a or SP2 (XP users who upgraded to SP1 or SP2 on their own retain MSJVM). These newer Windows releases require that you download your own Java interpreter; in which case, you probably have Sun JRE and need to update as soon as possible.
If you're unsure what your version of IE uses to interpret Java, there's an easy way to find out. In IE, click on Tools => Internet Options => Advanced tab. Scroll down to the Microsoft VM section and check "Java console enabled." Restart IE and then click View => Java Console. A window opens and displays the name and version number of the Java interpreter your IE browser uses. If you're not using Sun JRE, the vulnerability doesn't affect you.
Sun has released various JRE and SDK updates to correct these issues. If you use Sun JRE in your network, download and deploy the appropriate updates as soon as possible:
§ JRE and JDK 6.0: Download Update 17
§ JRE and JDK 5.0: Download Update 22
§ Java SE for Business JRE and SDK 1.4.x: Download version 1.4.2_24
§ JRE and SDK 1.3.x: Download version 1.3.1_27
Note: Your Sun JRE client may also automatically inform you of an update. If it does, be sure to let it install this update for you.