Network computing giant Sun Microsystems has rolled out patches for a pair of “highly critical” flaws in the Sun JRE (Java Runtime Environment) sandbox and the Java Web Start technology.
The Santa Clara, Calif.-based company said the bugs can be exploited by a malicious hacker to execute arbitrary code on vulnerable systems.
The more serious of the two vulnerabilities, which affects the Java Runtime Environment, may allow an untrusted applet to elevate its privileges.
“For example, an applet may grant itself permissions to read and write local files or execute local applications that are accessible to the user running the untrusted applet,” the company said in a published advisory.
Sun said the issue can occur in Java 2 Platform Standard Edition (J2SE) 5.0 and in 5.0 Update 1 for Windows, Solaris and Linux; as well as in J2SE 1.4.2_07 and earlier 1.4.2 releases for Windows, Solaris and Linux.
Suns J2SE 1.3.1_xx releases for Windows, Solaris and Linux are not affected.
Suns JRE provides the libraries, the Java Virtual Machine and other components to run applets and applications written in the Java programming language.
Download locations for patches have been included in the Sun security alert.
In a separate advisory, Sun Microsystems Inc. confirmed a privilege escalation security hole in Java Web Start, the technology used to deploy stand-alone applications over a network.
Affected releases include Java Web Start in J2SE 5.0 and 5.0 Update 1 for Windows, Solaris and Linux.
Sun recommends that users disable Java Web Start applications from being launched from a Web browser. Instructions for the browser workaround and information on patching are available on Suns Web site.