By Robert Lemos, 24 November 2004 11:45
NEWS
A flaw in Sun's plug-in for running Java on a variety of browsers and operating systems could allow a virus to spread through Microsoft Windows and Linux PCs.
The vulnerability, found by Finnish security researcher Jouko Pynnonen in June, was patched last month by Sun, but its details were not made public until Tuesday. Security information provider Secunia posted information about the flaw in an advisory that rated it a "highly critical" threat.
The Java plug-in enables small web programs, known as applets, to run safely on a user's computer. But the security flaw allows a malicious website accessed through a victim's browser to bypass those protections.
Pynonnen stated in an email interview with silicon.com sister site CNET News.com: "It allows execution of attacker-supplied code without user interaction [apart from viewing a Web page] which usually means a 'critical' classification."
"The same exploit could also be used against various operating systems and browsers, which makes it more serious," he added. The vulnerability can be used to attack systems running on Windows or Linux, for example, and using major browser software such as Microsoft's Internet Explorer and Firefox -- meaning a large number of systems are vulnerable to attack.
An attacker could use the flaw to do anything the victim normally could, including browse, modify or run files, upload more programs to the victim's system, or send out data from the system, Pynnonen wrote in an advisory dated Tuesday.
While the major browsers have had to deal with a significant number of security issues, the flaw is a rare black eye for the security of Sun's Java technology. Java is designed to be able to run programs downloaded from the Internet on various operating systems safely, without danger to a PC. The "sandbox" that cordons off Java applets from the rest of the system has typically worked well.
However, the flaw allows small snippets of web code, known as Javascript, to execute functions of Java that were never meant to be run by external programs.
Last week, while announcing details of Sun's forthcoming Solaris 10 operating system, president Jonathan Schwartz noted that Java hasn't been afflicted by a single Java virus.
However, the new security hole could allow a virus to use the Java plug-in to invade PC systems. In October, a flaw in the Java plug-in for mobile phones raised the spectre that a malicious program disguised as a helpful application could attack a phone's software, if run by a user.
Like the recent Iframe vulnerability in Microsoft's Internet Explorer, the Java flaw could allow a malicious website to download and execute a program that would compromise a visitor's PC.
"It could be easily used for spreading viruses or other malware," Pynnonen said in the email. "The exploit itself can't be easily embedded in email, because Java applets contained in email aren't normally started automatically. However an email message could contain a link to a web page which has the exploit."
While Sun would not speculate on how the flaw could be used by attackers, the company did say that it worked hard to distribute the patch for it (which can be found here) to all users.
"We took this very seriously, and we have gone the extra mile to post these patches," a Sun representative said on Tuesday.
The advisories from Sun, Secunia and Pynnonen do not address whether the problem could affect Apple's Mac OS X operating system, which is based on a Unix-like core of code, similar to Linux. The Sun representative said that the Mac issue is being investigated.
Apple was not immediately available for comment.
Robert Lemos writes for CNET News.com.
CNET News.com's Stephen Shankland contributed to this report.
Comments
There are 7 comments. Join the discussion
1. Bob James
This is *not* an exploit for "Linux and Windows", as your article implies. It is a *Java* exploit. The former statement implies that he weakness is in the operating system, while the latter places the blame squaerly where it belongs: in the Sun-supplied plug-in.
2. anonymous
Did anybody at Silicon bother to proof read that article? It mentions a patch but on following the link to the Sun site there doesn't appear to be one, unless you count JRE 1.4.2_06 which isn't available yet.
Which makes the quote from Sun about working hard to get the patch out to people so much nonsense.
3. Richard
Accurate Reporting Please!
Apparently this problem does NOT affect the latest version of Java (1.5) which was launched some time ago. It affects only the earlier versions.
The latest Java "plug-in" is available free for download.
Surely the article should have advised people to consider downloading the latest version, and advised software developers to ensure that their Java programs are compatible with JRE version 1.5?
4. Alfred Reading
Pardon my ignorance - how does the ordinary user of windows who has no knowledge of Java cure a computer of this vulnerability? Looking at the link to the Sun web pages will certainly not enlighten such users.
Most of them will not have seen this article so will be unaware of the risk yet Sun claims, you say, that users have been informed.
5. Terry Debassige
ad aware scan tells me I have a big problem with an exploit relating to Java run time... After reading a Bull Gaurd alert I tried to find the "patch" for the problem but I am unable to figure what it is I am supposed to download. The Java site is very confusing to me. I have windows xp
6. Rodger Hallam
I agree with Robert Lemos. I can't determine from the Sun site if I should do something or should I ignore it.
7. Dave Hylands
This site:
http://sunsolve.sun.com/search/document.do?assetkey=1-26-57591-1
lists the affected versions, how you can tell which version you have, and links to a version you can upgrade to.