Sun Microsystems Inc. on Wednesday released fixes for vulnerabilities discovered in the Sun Java Runtime Environment and in the Java Software Development Kit, which could be exploited by remote attackers to place and execute malicious files on a vulnerable system.
Security alerts aggregator Secunia Inc. rates the issue as “highly critical” and said malicious hackers could exploit the exposure to “compromise a users system.”
An unspecified error may be exploited by a malicious, untrusted applet to read and write local files or execute local applications, Secunia said.
The vulnerability has been reported in JDK/JRE 5.0 Update 3 and prior on Windows, Solaris and Linux platforms. SDK/JRE 1.4.2_xx and prior, and 1.3.1_xx releases are not affected, the security firm said.
Suns suggestion for administrators is to upgrade all versions of the development kit and accompanying runtime. JDK/JRE 5.0 Update 4 or later can be downloaded here; SDK/JRE 1.4.2_09 or later is available here; and SDK/JRE 1.3.1_16 or later can be obtained here.
Symantec corrects flaw that could lead to DoS
Enterprise security vendor Symantec Corp. has issued new patches for its PCAnywhere PC management software, which could be exploited to cause a DoS (Denial of Service), the company said.
PCAnywhere is a telecommuting tool that provides remote software control for consumers and large organizations. The software is also used for help desk applications and troubleshooting PC problems at remote offices.
The exposure is caused by an unspecified boundary error that can be exploited to create a buffer overflow prior to authentication, which crashes the PCAnywhere component, Symantec said.
The vulnerability has been found in versions 11.0.1, 11.5.1 and all 32-bit versions. Earlier non-supported versions may also be affected, Symantec said, so it recommends that users of all versions prior to 11.0.1 to upgrade to a supported version.
The upgrade to the consumer version of Symantec PCAnywhere can be found here and the update to the enterprise version can be obtained here.
Cisco systems reports hole in its own security software
A vulnerability has been reported in Cisco Systems Inc.s own Cisco Security Agent, which can be exploited by malicious local users to gain escalated privileges on a compromised system, Secunia reported.
The vulnerability is due to an unspecified error in CSA versions that run on Windows systems. This can be exploited by malicious users to gain high-level administrative privileges on vulnerable systems, Secunia said.
According to the companys Web site, Cisco Security Agent provides threat protection for server and desktop computing systems, also known as endpoints. It provides host intrusion prevention, spyware/adware protection, protection against buffer overflow attacks and malicious mobile code protection, Cisco said.
The vulnerability has been reported in the following versions:
- Cisco CSA Version 4.5.0 (all builds) managed and stand-alone agents.
- Cisco CSA Version 4.5.1 (all builds) managed and stand-alone agents.
- Cisco CSA Version 4.5.0 (build 573) for CallManager.
- Cisco CSA Version 4.5.1 (build 628) for CallManager.
- Cisco CSA Version 4.5.1 (build 616) for ICM (Intelligent Contact Management), IPCC Enterprise and IPCC Hosted.
- Cisco CSA Version 4.5.0 ( build 573) for CVP (Cisco Voice Portal) 3.0 and 3.1.
Cisco and Secunia recommend that all systems using the above CSA builds update to version 18.104.22.1689. That patch can be obtained here.