Network Security & Hardware - eWeek


Is the Smart Grid a Dumb Idea?
Surgical Adhesive Offers Smarter Way to Mend Bones
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


Critical Java Bug Targets Java Virtual Machine



 By: Ian Betteridge
2004-11-23
Article Rating:starstarstarstarstar / 0


There are 0 user comments on this Network Security & Hardware story.


Rate This Article:
Poor Best
A highly critical vulnerability in Sun Microsystems Inc.'s Java plug-in has been discovered by a Finnish security consultant. The vulnerability could potentially allow a Web page to turn off Java's security feature and execute malicious code on a compromi

A highly critical vulnerability in Sun Microsystems Inc.s Java plug-in has been discovered by a Finnish security consultant. The vulnerability could potentially allow a Web page to turn off Javas security feature and execute malicious code on a compromised machine.

The vulnerability affects JRE (Java Runtime Environment) Versions 1.4.2_05 and prior, Versions 1.4.1 and 1.4.0, and Version 1.3.1_12 and prior, running on Windows, Solaris and Linux. JRE Versions 1.4.2_06 and 1.3.1_13 and later are unaffected, and Sun recommends that all users upgrade their Java installations as soon as possible in order to avoid this vulnerability. Third-party JVMs (Java Virtual Machines), such as Microsoft Corp.s, are not affected.

Resource Library:
The bug, discovered by Finnish security consultant Jouko Pynnonen and detailed on Suns Web site, allows a malicious user to create a Web page that uses JavaScript to transfer objects to an untrusted Java applet for some private classes used internally by the Java Virtual Machine. This could be used to turn off Javas security system, disabling the "sandbox" mechanism that should prevent untrusted applets from gaining access to the system.

Once the sandbox restrictions are disabled, a malicious Java applet could be used to compromise the system. The applet would have the same privileges as the logged-in user, which would mean that a malicious applet could have access to the local machine and any connected networks. In theory, a malicious applet could go on to download and install other applications as well.

According to security specialist iDefense Inc., which coordinated the release of the issue, this ability to compromise the sandbox is what makes this issue stand out. iDefense Director Michael Sutton said that "normally, you should not be able to access anything outside the sandbox, and this vulnerability allows you to do so."

Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.



  Reader Comments: Critical Java Bug Targets Java Virtual Machine
>>> Be the FIRST to comment on this article!
 

 
 
>>> More Network Security & Hardware Articles          >>> More By Ian Betteridge
 


x}is㶲*Qމg5ER%uƶ|,LU(S$IyI^r_7nZhdrxjl@74Aș3!9)ٝ0Oo-zIj|ݻPAeFAUM7 JԶO7RM3i /4w7wGlJ{'AT{j" xL5 ΚMH]ٚ7'x2)X $8kzZ'jZ$l(P8 w(ZB; ?*B4m$oqT}:XQ=2rН3ݟXBT Kt/"(?c&s?9;|'Ț_h@Q5w0NK <[8 #5nCUVekF֠}lui!l 1!osݿ!HͤNޤ@d jId::`YTi 1܉\Ї@ڮSVPf̲;o tG oc}uק&[! !$f >v?& QI'6q_F^_3'@8:)|E[5'0m_k|tfs< s~3 CoZe؄j% =y7`JaCzJ&5\_-׉E>7 ؗY͢Aeʆ}sʾVWR\W╻]`[BUzEÝ|c4:~)UUe=,GA GnGkp[I^׵Sq={'r9;{'׼ ;A;YHL~#/@DJ V,MD&-ԁNVP? uΑjQ2[F-_ Kj%ɥ~hY̞o fVҘ 'UUXA[~6t.˫nCӣnlL,!V4*V]?c[ˠjq}Ҿ~^{}rһ"ΧqٝF4pgs Z_Zr\? z?lrK,.iTW%3eLCxY$Y.r{&:CJ ݖEL_*D\KŗG)LY4C! ,2ɌcPu t:C;|sƊNmҔ& )B:%u(5Hr Q@a)#8?S%i8@r5XSl \OFo4'M3XE U >hi,A[T}N}W%M 1F|r+E KH@!}F!8N0Apl/\d~]LãQwWڲ9Q[% kK\M흚"#-+}י4O:ǫN/{~:PqJ"0"- ]evbckꛛZϏRa^TU G&-d`q86acBݤc}nE=aAgIy|FMk>ktI=XC#ʠ:ڴ;\VS4!&- 'pbdx: }# 0f4mLH"AЂMtT8n]`2Z9ܹ ([ hk= `Dy+wMGHb1(=զA{Tg,zC {k6G~[>l0szQN\Qo@m2)%%E24.'H(AH 9[h ]99z|?#!bRN[ T6ݞH:s'PT+esMX)gQY,p[/)Pf%5{~4 cbB|#'&Xr`Y \d+|i)lb 6؛ri:|:ioBg< 08Bdp=[IZ&1C IK,tt?;\ύ!7!q"-%`|fX4Кs=RA\^XPL[Nm)tsf9`ZƔWjP~A-QM;luV<ۢfA8 u k2ZE'6`FTTMZ|!||=Ꭴm[4@W*|zS.z8؍8r!O5kb$`CO ]|:'}=r=Cۮ!r N>+]hp$HhS+}aQu5kaAa ŵAb=?x ҫC~y,gK+Igyaؓ.ZL|r [Qz{=cTf le8l0X:Ŀuosj1&?NՊRRiO9&"_Gƅ Kd^ `O`Tc׶ݻ|̠:L'QZ^-B-g\npb Z*LgAqA04L\y5/ +?wV0\nSOКa+;ЂqNl*IH qNIQ)kMxg9oLI3 iȐ0ցq_HE"}[kppLU.)L0:Jj +,X8:T#;4f6tW߀bIu?I BM!RBs]}=1 2`{t&RZUU+òZP+7cUFQX5`Cw<ꗧ!7~g2-sgeH): g-%㓏.Vp)#Z$ c`ײ. _AX{kOhR9A} l#d; $$MUpnp{E@=F&: pJE Mkm z@zzN{Բ':ӌ0ZLfemB(D(p)~)h? UK*~iϻjoR68F2( #s]QB-Pj O5c Қ9k+4C |3MdhH[+XȎ/ͯ6> s}&nfG{mxC`vfD++13R8Wqom؋W#Cf˴W6i&01"45" ~>tU*`x,4J,BfĜAYo]b+o95=1۠~}R5F70p#=ܓe &sZcd{ WϝiqHYf:al#<6@ea ʋzhBs-v4>eʊt0FyX!6 kq0n"8wDAۭCߊ> P5uRQX\u@VI^A ұg /@C׳@.l̼QXCGVUeH4yģT3# y $6-.wEZЋֶ E5bbbϦ\#2OR(KY,aZp9ЃNIC#,A,B |&nR X'W:Z;L$節e 2(-RV%%f!vI#G.ɢ6A(™)dIH59l)`P(S=T@mZ +ia/ dw!]: PG" cZ,nAYb @Ns/4ڎVõ]2MdX$U gMٸUJӴ%I? O} *Q-ˤӧG׆!oy!3." WP)߱~놺9)xT-kZl[ԪwB!iq]C0 IZW+{) ,%~w9@` |ZUjr22DBZNBq<:N)ItS^1%wXL] tKM$DDOC~Ui&gX&J*6şc1Ήˏ{{=LM_BP` &Ѧ0pmOOt@~1tcqy V̶I\fzGQWu=8= %m՞.I{W@wet{uṖ}:wR-}E^;: Cz/RÏE0r`R; J@F$;Ĥ}vl݋6zv9DA 2ߋO4z7qwOEGJ:7]9$臗Zg,Y#0BuZW!ͦ5fpRbs 3^z0LQ‴5!,w\qbaNZ _k=W7(aF`l~YF_aY,$"0. Iku:;.   kJ=!Vohwg{k D2 bT0_RFI$Q#=-#hYsܻjqc lo}AǯNd~NZ-g[M7S+d$ c?]/8݃ϟ" WVZǭOwGH$Y >u8/wb!B48r 7{KP .M>uR2MĔyk.NE i {6-~ clwQ(Sa $-zbeۆnKlx0cRȔ&=8 z>SB&Դ5˓4-i^Eqj ieʒ~@a' ۡX#ě_.6G8 (OMkzisy/P{~%3(:r2iEve(5Au)AB|Hym1ΣJg+y--E#]}+ iǂa|x"R̅)Cx9 EuX.gTk+ttY؍NjFڰq ;eΫ>|mv,KKN5!WC1lyRѵl bdNƔ @95~@ϝ)|i;S<6lM`"(\ ?8~I-3ᛷ 6n2}2KO$ho~QOƯovfCYf=foݷvcW};Ǎ>-l-8tQ#TiRɘ&BARTUjlko$rY9sJE_V ;x`,hEgQd1Ws0dƛqK}#uoѯo=ȥ '֛ݥq=*A#'w5GGoqSxw{eQJW=q-@kjejR,y^[DqD%{two uUN&6mt_c ~‡i<&K;zo :l0̰@ b@V՛R.B)AiqpvvƘ@lll41Rhoi_٦p 0\f>m`1 \c A3+zmK@Ҹ+kg}|@s$l-"W@33#S 2`ݹmS)">!vŴhh"&9&6b(T4kRheh">:FT(` Fx3*]s$Ǯ/u;Rm^+9R4iA"5o`,u;_ })tEz6vυrU6%X#HY+ u 60@ %Pa '*P/6gsj[KER+.Ajvu$F%ZTޯm$8PŌDQvZbЯUmeɵ9Oxi{V7ڋÈw/1?4NJ0Yb:c_5ƋJ>hc%.v" Y7 "@S,ڟs~iב&=G4s¯qB3/ѡq7777GJu|t"^-> 1ǀJ|ָM+:sO*K׭ x"ԂDx'>Y')U ̲M վ~= BHk  CG"pŬ R 劲? )Jʶ,0\lT}s\@v}Xj% [ +n(#,,k8|3>}6"</'!=%M|gITq:sk1"ǘc,xjѕcRZ ϔim/KBې<_}Z-jcJI:טw]`}L^)|KD BW"^ o 4!op N5}1 2Iŀ].||||_ov^׿nlQ+ҹ`؞cR%ݖ.C?,¾ V*f~?RX5pH b WA qa7}K;E3σ8'4^|SbGRcWB xt?:U1fuчyI4g<++a k! $3 McX|}a(1p`6sUQ]w ]~(i2 DYwGDzxaEv(hnV u`U4yH}xqu^8 /zMF5#j+X©J`RgtTҳҎIz=;c| r_!1hv,ܙK `+B|6w)`"H}WjtXWzc6[lաeuM<Nc0XUu"`t""~"<Y똋rDN l|+9.;oOb2*Z)[v RJK6կD{ҳf@@\5!p _}B>/| Bѕ[xx5wZE/2`Vy7*ęn-찆߼Sd!٩9,fER o Z!ߤzm_mc(H^uσ dUokoȊ>t)ۼRzr#5VmLQKvzlï~BYf-e։5עV(^Hi3ƚe<m~?p'@=rv>8XBO}kҽ:u]5h έko(jc+ {r闶Qpq}S}uߒ|`%2f`˶뿓$}qv`'.?A1EKl@.h%]Lώ`CmřnO|7w- 4.N-£Etާ7 œhgϡ6 % l?QX247K fןУlQc̦"f$xr{"*]sNnjʾs~\ : G K]ɖ1xy[/Mz'5!LO:VE(*Io$zTG^6J$RM`~Ÿ\ 6M}^Šx!Vy ?Lm+=mz^CθJ[7]s5S.W@O[fkhPbͪNTpdͪmؓRccn1Hu%.Mč^Ify 8͌/k TPIV ק6:̽KeMĐljU9JJEV^3z~5'5*>5BYQQf>CJ#gx߹54)XieZ{cqȝGF^hRyG~ K5Ò)<k|X>PP)%(77K11ǖC0ۏUKzt׳c5,+ٛp+|ޞ+j_7$|tfsGπ}NL톫$õ6n՜OtgڊRo4Jv (FLOAr;c{±@yt G KG53?b)m:, |W0~2FԞkAZov/?VHzՕݷoh}extSJ"rG:-?i#:& 0* >H%wAG>p2zSR=U%=ahx &̋(HKt<.:ΰ>m[e6\ixc# k3dx rF@YfEG P56D:iv;H\:A窏VءwB"#x99q?2BQQ'LuE) 2s y"aK\vScYuh`>r*~ᜭ#+^Kʑf,Tht?\]}aE1p4*pgj9vU K$L 2@: xE ? W>nrS-i`IkBx lx DwgII!5S"`" a9=g1;my^̅Gl/u GO%ccZ|G,{{GǙ;fSZ,٢_%R~E,D "}fA=bAa~L­!R)Qw30^ SdȌS,0 uA"\2,Gyan2?y :Qs̬Dzy 6t(QS=1U&F  cى 2S¤vt\/?>').yDci 8^iN4_Zo!oX62 =.s޿y *~0~0~@ #a|r )P~W{CuN@9ugK\8=JW ͣzTA^_~+%IN>ȳ9+f/^sTh3gU_?߫I{ykR+ ]q%3-{ᘴ[˺r}ח c|U(X2M&m#(R^>Ȧc˼=>w懴Ixո]@&J2˯-cENSL5tkz(s<2g!h{dZ+mDt"\5½qo>eybAR̥-c@#mq8^$ڃ}nC7fn@qL: ~iMogs\v<2kݫ++〚+p'k͠~%k"N^ga#f^*B8DCw_a%ɡ1zI=vڢ{~58]4pGsn ߙ,@$ R#ZִZjVU 'Wd-#"2t2a*R'Ӏe`_)&K<3 .=M^ed fMȡ!pAfJ5G P }:kl*Yۼx0l|yN Nx@7 ,5w;Ũ@^΃na_ poI2hؐC ؒ9N-#G1N>@KM™Z#wJY&5$W"Z-^>m&V=ȁF=CY%Qf4l1AxL^:&3!Mť{6oTx| "e*,bNcQ0Yqíd<@T6?rօw $~HN,6zo#+fUx/C4tȩ ޹ ^Yh " n#qB`LZAۀ/`51X .jŴkTwX}UmĤj#G[wzhLS,i_cErd9GU ZCQ8ۈ83w{Zܧ[hW"nCr7g7>hll[ 20tճVmbU]ݎ:3'/Հ`m,l-/ ;8m2c3 O"x^;4m!FY#'0ML+fAl!3&y&{.b?aOV,|v/Gk)I'ḱ`7OϽ=S΢dWBubdwD.L%Cb9G$]! ""_S ax0^eD$u@' ;؆OnSC>XXe-s0ŬBSh<)O?'[nG\k<>aiEPL/c<z@n>*f}L޴ ]7*|?OGe Mwt4?@&s ܈}lI5#_?Fq: /A.slK 6[ +"  JmӬ1s¹"UXJَR , ~:3_r ΧkϖWt:yDtzl떮EOfu ݎ¼ȶJ{]Kl CcmR>GK ]'[٧3й?-Rw/e[͌,{ QFbV]shՆG0ޏq7P|@xS b Gm;q3r2M9Qm`--N \71Ȟ|Nuu ۲|ږa=vks`cΜ6 U =[=܋;}c\91F`=s묞R6ȴ{ ePCik5ZK (Dq] XâȖWITR6!;دD?8- ciĬ ;acXJXF!Ƨ ?'TS*4.>ϭn<\eˣŬ"&D0Ȯ' }fbGnԌaB&cv L$Fg8% S^೐b,/A,xr&r*]xWI"cXMb0x@t&W.rWbMd?|Ykh YIb λgxH%D}Sw= aFK'O(Uƥ2}:8XQ|;]%`gd /=jxxі6EKB];Y B*Ewj񲞝?`*XEClMc01B4gr09d֎VMMn3a-dcˤ_ lѳq+