Tech Industry

Java kit includes security patch

Sun Microsystems freshens up its Java Development Kit to fix a security bug discovered in late April, sources say.

Sun Microsystems (SUNW) has freshened up its Java Development Kit to fix a security bug discovered late last month, sources said today.

As reported, Sun originally provided a patch for the bug, which could have allowed programs stamped with a digital signature to bypass Java's normal security restrictions, in the days following its discovery. But now it has begun providing an new version of the JDK, version 1.1.2, that incorporates the patch, instead of just the Band-Aid for the older JDK.

JDK 1.1.2 is now available only to Sun's Java licensees, such as Microsoft and Netscape Communications. It will be posted on the Web site for Sun's JavaSoft division within the next two weeks.

The bug was discovered by a team of Princeton University computer scientists. A sophisticated hacker could exploit the glitch to pretend to be a trusted publisher to whom the user has already granted access privileges, such as reading or modifying private files on that user's hard disk.

Sun has tried to make Java more powerful by allowing programs that are digitally signed by a publisher to venture outside the "sandbox," a security area that prevents code from freely roaming a user's hard disk.

More details about the Java security glitch can be found on the JavaSoft Web site.