Security experts urge anyone running Java on their computer should upgrade their software immediately, regardless of platform. The reason? Sun just plugged several severe vulnerabilities in the Java Runtime Environment that could leave computers open to severe compromise.
“It is always Sun’s recommendation that people use the latest release of Java technology,”
Bill Curci, product marketing manager for the Java platform at Sun, said in an e-mail to InternetNews.com. “This particular release contains a number of security fixes so we recommend people upgrade as soon as they can.”
All told, Sun has fixed 11 vulnerabilities in the past few days. Because these are part of the Java Runtime and Java components, it covers all platforms that run Java. The full details are on Sun’s security blog.
The vulnerabilities are across the board. They affect JDK and JRE 6 Update 2 and earlier, JDK and JRE 5.0 Update 12 and earlier, SDK and JRE 1.4.2_15 and earlier and SDK and JRE 1.3.1_20 and earlier. Sun has already posted fixes to all of the software for download.
The vulnerabilities are not to be taken lightly, either. The most severe of the problems makes it possible for a site hosting malicious code to gain access to an internal network, passing right through the firewall and security systems when a person unknowingly accesses a Web site hosting the malicious code.
This would allow the code to make connections to network services and machines inside the firewall, so once inside your network, the malicious code could go almost anywhere on the network and access anything. This could allow network resources not normally accessible via the Internet to be accessed or exploited.
What makes the vulnerability so dangerous is that security methods, like antivirus programs, might detect a Trojan
The others are just as dangerous. A total of six vulnerabilities in Java Web Start could allow an untrusted application to read and write local files, copy files or access the Java Web Start cache, which would in turn let the application determine what applications are installed on the machine.
“Java applications are supposed to run inside a sandbox, but there’s absolutely no sandbox here because they can break out of it and do the things they shouldn’t be able to do,” said Tom Kristensen, CTO of the security firm Secunia, which issued its own alert after examining the vulnerabilities.
Kristensen said that from Sun’s description, there doesn’t seem to be any particular restrictions on what the malicious code could do once it gets inside your network. “There might be some restrictions we don’t know about, but not based on what we have here,” he said.
The message is clear: get patched ASAP. “There is no reason to hesitate with this one,” said Kristensen. Java has an automatic update mechanism, but Kristensen recommends that users do a manual update to insure they have the latest version.