Java security flaw threatens Windows and Linux Virus

By Derek Sooman on November 23, 2004, 6:06 PM
Not made public until just today, but detected in June by Finnish security researcher Jouko Pynnonen, a flaw in Sun Microsystems's plug-in for running Java on a variety of browsers and operating systems could cause a nasty virus. In a nutshell, the security flaw allows a malicious Web site to run a java applet free from security protections.

"It allows execution of attacker-supplied code without user interaction (apart from viewing a Web page) which usually means a "critical" classification." - Pynonnen.

A problem on the PC is certainly confirmed (Linux and Windows), but the jury is still out as to whether the Apple is similarly affected, given that Java is a cross platform language. Java was patched last month by Sun Microsystems, but details of the flaw were not made public until today. According to the Pynonnen, the flaw can be used to create exploits which can do anything the victim normally could, including browse, modify or run files, upload more programs to the victim's system.




User Comments: 1

Got something to say? Post a comment
Phantasm66 said:
I received this e-mail on the subject:Dear Derek,Given your article titled, "Java security flaw threatens Windows and Linux Virus," regarding a possible security vulnerability in the Java Virtual Machine (JVM), we wanted to let you know that today Sun issued the following statement on this topic:Sun is aware that a possible security vulnerability in the Java Virtual Machine was found by Secunia, and has been collaborating with them on quickly addressing the issue. Although there have been *no reported cases* of this potential vulnerability being exploited by hackers, Sun takes this issue seriously, as it does all security issues. Sun began distributing the upgrade that addressed the vulnerability in early October to its customers, and this week posted the security alert and the updated version of the Java Runtime Environment that eradicates a possible vulnerability to the general public. Sun will not speculate on the vulnerability or scenarios under which it could possibly be exploited. The upgrade is available at the www.sun.com/developers Web site.
Load all comments...

Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.