 |
 Beware of new dangerous Java code flaw
November 25, 2004
A flaw in Sun Microsystems' plug-in for running Java on a variety of browsers and operating systems could allow a virus to spread quickly seizing millions of computers worldwide.
Java is supported by almost all the browsers in the market. And a latest security flaw found in earlier versions of Java releases have put browsers including Internet Explorer, Firefox and even Opera users to risk.
Security experts have warned that millions of computer desktops are at risk from a newly discovered vulnerability in Sun Microsystems' Java Virtual Machine (JVM).
IT security firm CyberGuard claimed that the Java flaw, which is present in the JVM on most desktop computers, "poses a significant security threat because it will not be closed by the usual Microsoft update process".
"JVM is used extensively by many online services such as maps or chat portals," said Horst Joepen, chief executive of CyberGuard's Webwasher subsidiary.
"This vulnerability could have a major impact on most enterprises, since even those with strict security policies do not usually forbid the download or use of Java."
Joepen continued that the vulnerability is currently available only as a 'proof of concept' code, meaning that there had been no recorded outbreak of a virus or worm.
However, he said that once a "vulnerability of this magnitude" is exposed, it is usually not long before the hackers produce an exploit.
"Most PCs are vulnerable, since JVM is downloaded when users try to access websites that check for a JVM and then ask the user to automatically install it," Joepen said. "Since the Sun JVM is not part of Windows, Microsoft patches won't help."
The vulnerability, found by Finnish security researcher Jouko Pynnonen in April, was patched last month by Sun, but its details were not made public until Tuesday. Security information provider Secunia posted information about the flaw in an advisory that rated it a "highly critical" threat.
The Java plug-in enables small Web programs, known as applets, to run safely on a user's computer. But considering that on most browsers Java applets are allowed by the default security settings, they are downloaded and executed within the browser window without a user's knowledge or consent. "It allows execution of attacker-supplied code without user interaction (apart from viewing a Web page) which usually means a 'critical' classification," Pynonnen stated in his newsletter.
An attacker could use the flaw to do anything the victim normally could, including browse, modify or run files, upload more programs to the victim's system, or send out data from the system, Pynnonen wrote in an advisory dated Tuesday.
"It could be easily used for spreading viruses or other malware," Pynnonen said in the e-mail. "The exploit itself can't be easily embedded in e-mail, because Java applets contained in e-mail aren't normally started automatically. However an e-mail message could contain a link to a Web page which has the exploit."
There's no workaround to 1.4.2_05 and earlier versions, but the new version free from this fault can be downloaded here.
|
|
