A recently-discovered vulnerability in the Sun Java Plugin is a threat to many Web browsers such as Mozilla, Firefox, and Internet Explorer, and it also affects multiple operating systems.
Details
Of this serious flaw with the Java Plugin, Sun says, "A vulnerability in the Java Plugin may allow an untrusted applet to escalate privileges, through JavaScript calling into Java code, including reading and writing files with the privileges of the user running the applet."
This threat is platform-independent and can affect any system with the bad version of Java installed.
Sun directs IT professionals to see the appropriate Mitre CVE for further information, saying that the issue is described in CAN-2004-1029. Of course, CVE notes normally provide almost no information so even the Sun page is more helpful, but read on to see how difficult that can be to locate.
To see Sun-acknowledged vulnerabilities in Java after November, 2002, Sun advises going to the Sun Alert Notifications page. Unfortunately, this is nothing but a search link and clicking on any of the obvious "patches" or “Security Information” links along the left side of the page doesn't give you any information about current exploits.
The search engine isn't much help either. For example, if you look up “SDK,” the last vulnerability listed is from May of 2003. A “JVM” search locates problems announced in July and September of this year but there is no mention of the current threat (and a search for "Java" provides similar results).
The specific problem in this latest Java threat is actually related to the Java sandbox, which was created to provide a safe place to execute Java code. However, even if you already know some details of the threat and search for “Java sandbox,” you won’t find any reports later than a year old.
Only if you know to click on the "Browse documents" link (and then select Sun Alert Notifications) will you actually find relevant information about the most recent threats.
The new Java Plugin vulnerability in JRE and SDK is listed in document 57591, dated November 22, 2004.
Author's note
Disclosure of this threat was widely disseminated through various news services in the last few days. By the time you read this, however, the Sun links may be more prominently displayed on the Sun site.
Applicability
This affects the Java Software Development Kit and Java Runtime Environment on Solaris, Windows, and Linux. “JDK and JRE 5.0” are not affected according to Sun, but “SDK and JRE 1.4.2_05 and earlier, all 1.4.1 and 1.4.0 releases, and 1.3.1_12 and earlier” are vulnerable.
Risk level – Severe
This threat can allow attackers to completely bypass Java security settings. Even more serious, I suspect that the vast majority of users and even security administrators will remain completely ignorant of this potential threat or the need to switch VMs or update the Java code on their systems, so this threat could be around for years to come on a lot of machines, and the longer it exists the more serious it becomes.
Play video
There are currently no comments for this post.