Java flaw could lead to Windows, Linux attacks
Page 1 of 2 12 LastLast
Results 1 to 10 of 17

Thread: Java flaw could lead to Windows, Linux attacks

  1. #1
    AO French Antique News Whore
    Join Date
    Aug 2001
    Posts
    2,126

    Java flaw could lead to Windows, Linux attacks

    A flaw in Sun Microsystems' plug-in for running Java on a variety of browsers and operating systems could allow a virus to spread through Microsoft Windows and Linux PCs.

    The vulnerability, found by Finnish security researcher Jouko Pynnonen in June, was patched last month by Sun, but its details were not made public until Tuesday. Security information provider Secunia posted information about the flaw in an advisory that rated it a "highly critical" threat.

    The Java plug-in enables small Web programs, known as applets, to run safely on a user's computer. But the security flaw allows a malicious Web site accessed through a victim's browser to bypass those protections.

    "It allows execution of attacker-supplied code without user interaction (apart from viewing a Web page) which usually means a 'critical' classification," Pynonnen stated in an e-mail interview with CNET News.com.

    "The same exploit could also be used against various operating systems and browsers, which makes it more serious," he added. The vulnerability can be used to attack systems running on Windows or Linux, for example, and using major browser software such as Microsoft's Internet Explorer and Firefox--meaning a large number of systems are vulnerable to attack.

    An attacker could use the flaw to do anything the victim normally could, including browse, modify or run files, upload more programs to the victim's system, or send out data from the system, Pynnonen wrote in an advisory dated Tuesday.

    While the major browsers have had to deal with a significant number of security issues, the flaw is a rare black eye for the security of Sun's Java technology. Java is designed to be able to run programs downloaded from the Internet on various operating systems safely, without danger to a PC. The "sandbox" that cordons off Java applets from the rest of the system has typically worked well.

    However, the flaw allows small snippets of Web code, known as Javascript, to execute functions of Java that were never meant to be run by external programs.

    Last week, while announcing details of Sun's forthcoming Solaris 10 operating system, President Jonathan Schwartz noted that Java hasn't been afflicted by a single Java virus.

    However, the new security hole could allow a virus to use the Java plug-in to invade PC systems. In October, a flaw in the Java plug-in for cell phones raised the specter that a malicious program disguised as a helpful application could attack a phone's software, if run by a user.

    Like the recent iFrame vulnerability in Microsoft's Internet Explorer, the Java flaw could allow a malicious Web site to download and execute a program that would compromise a visitor's PC.

    "It could be easily used for spreading viruses or other malware," Pynnonen said in the e-mail. "The exploit itself can't be easily embedded in e-mail, because Java applets contained in e-mail aren't normally started automatically. However an e-mail message could contain a link to a Web page which has the exploit."

    While Sun would not speculate on how the flaw could be used by attackers, the company did say that it worked hard to distribute the patch for it to all users.

    "We took this very seriously, and we have gone the extra mile to post these patches," a Sun representative said on Tuesday.

    The advisories from Sun, Secunia and Pynnonen do not address whether the problem could affect Apple Computer's Mac OS X operating system, which is based on a Unix-like core of code, similar to Linux. The Sun representative said that the Mac issue is being investigated.

    Apple Computer was not immediately available for comment
    Source : http://news.zdnet.com/2100-1009_22-5464872.html
    -Simon \"SDK\"

  2. #2
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    OUCH!!!

    'Nuff said?
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  3. #3
    Can anyone say, "superworm"?

    This one is going to spank a LOT of home users. Wont touch the big boys though.

  4. #4
    Hi mom!
    Join Date
    Aug 2001
    Posts
    1,103
    Suns Alert Notification at http://sunsolve.sun.com/search/docum...y=1-26-57591-1

    5. Resolution This issue is addressed in the following releases:

    * SDK and JRE 1.4.2_06 and later
    * SDK and JRE 1.3.1_13 and later

    for the following platforms:

    * Solaris
    * Windows
    * Linux
    Sadly, the "Update Now" button in my J2SE 1.4.2_05 RE Plug-in Control Panel informs me that I already have the latest version installed. You'll probably have to update manually, for now. And another thing: the auto-update thingy is set to go off once a month by default. You might want to turn that up a notch for fixes like these.
    I wish to express my gratitude to the people of Italy. Thank you for inventing pizza.

  5. #5
    Member
    Join Date
    Dec 2003
    Posts
    97
    I'm hoping we can escape more or less unscathed with this one, at least in the windows space.

    As far as I can tell, this allows code to be executed with the user's privilege levels on the machine. And, since, we currently have so many viruses exploiting the as-yet unpatched IE Iframe vulnerability, why bother re-writing your virus code for this vulnerability?

  6. #6
    Hi mom!
    Join Date
    Aug 2001
    Posts
    1,103
    Well, you'd have the opportunity to create a cross-platform worm, trojan or virus. There's a challenge
    I wish to express my gratitude to the people of Italy. Thank you for inventing pizza.

  7. #7
    Ninja Code Monkey
    Join Date
    Nov 2001
    Location
    Washington State
    Posts
    1,027
    So quit surfing low quality pr0n and warez sites and you will most likely not have a problem.
    "When I get a little money I buy books; and if any is left I buy food and clothes." - Erasmus
    "There is no programming language, no matter how structured, that will prevent programmers from writing bad programs." - L. Flon
    "Mischief my ass, you are an unethical moron." - chsh
    Blog of X

  8. #8
    Senior Member
    Join Date
    Nov 2001
    Posts
    1,255
    Originally posted here by Juridian
    So quit surfing low quality pr0n and warez sites and you will most likely not have a problem.
    Damn, what am I gonna do with that eight hours of surfing a day?!?!?

    I don't find this all that incredible, what I find incredible is that it took this long to find a vulnerability in the JVM, especially with all the focus on browser security in the last few years.
    Chris Shepherd
    The Nelson-Shepherd cutoff: The point at which you realise someone is an idiot while trying to help them.
    \"Well as far as the spelling, I speak fluently both your native languages. Do you even can try spell mine ?\" -- Failed Insult
    Is your whole family retarded, or did they just catch it from you?

  9. #9
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,324
    Originally posted here by chsh
    Damn, what am I gonna do with that eight hours of surfing a day?!?!?
    OMG! Did we just witness chsh attempt a funny?!
    I've been here a couple years now and this is the first I can remember him saying something that wasn't completely serious.

    Getting in the holiday spirit are we?
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  10. #10
    Senior Member
    Join Date
    Nov 2001
    Posts
    1,255
    Erm, first off, I don't celebrate the American holiday of oppressing natives, I celebrated the Canadian one last month, and secondly, you obviously take my posts WAYYY too seriously.
    Chris Shepherd
    The Nelson-Shepherd cutoff: The point at which you realise someone is an idiot while trying to help them.
    \"Well as far as the spelling, I speak fluently both your native languages. Do you even can try spell mine ?\" -- Failed Insult
    Is your whole family retarded, or did they just catch it from you?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides