Sun issues patches for critical Java flaws

Fixes are for versions of Java Runtime Environment that include a flawed programming interface.

Dawn Kawamoto Former Staff writer, CNET News

Dawn Kawamoto covered enterprise security and financial news relating to technology for CNET News.

Dawn Kawamoto

Feb. 8, 2006 11:44 a.m. PT

Sun Microsystems issued a patch Tuesday to address seven "highly critical" flaws in its Java Runtime Environment that could allow a malicious attacker to gain remote control over a user's system.

The flaws affect systems running on Windows, Solaris and Linux that are using certain versions of Sun's Java Development Kit 1.5, Software Development Kit (SDK) 1.3 and 1.4, and JRE 1.3, 1.4, 1.5 and 5.0, or earlier, according to an advisory issued by Secunia, which rated the flaws as "highly critical."

Sun's JRE software, especially version 1.4, is found on a number of computers and allows users to run Java applications, which operate in a "sandbox"--a separate area cordoned off from the rest of the user's system.

These latest flaws are found in one of the JRE's application programming interfaces, or API, which communicate between the sandbox and the rest of the system. The flaws could be exploited by attackers to gain remote access to a user's Java applications, allowing them to read and write files or execute code.

"An applet may grant itself permissions to read and write local files or execute local applications that are accessible to the user running the untrusted applet," according to Sun's advisory.

Sun's security patch is its latest involving JRE. Last November, Sun issued a fix for five vulnerabilities in its JRE, of which three also dealt with the API.