Posted on 11/24/2004 11:39:32 PM PST by snarks_when_bored
Java bug could hit PC operating systems
17:51 24 November 04NewScientist.com news service
The discovery of a serious software bug has simultaneously opened a variety of desktop computers to potential attack.
The flaw has been found in Java, which works on a variety of computer operating systems from Microsofts Windows to free software Linux which means any worm which exploits it could hit a variety of computer platforms.
The flaw is rated "highly critical" by the computer security firm Secunia and some experts believe it could lead to the development of a cross-platform computer worm.
The bug was discovered in the Java Plugin - a software package that lets small programs written in the Java programming language run automatically on a computer. These small chunks of code, known as "applets", are often embedded in a web page and may be used to display a small animation or play a sound.
The severity of the flaw is increased by the fact that the Java Plugin comes bundled with various web browsers and Java can be run on different operating systems without modification. Software bugs are normally limited in scope to one operating system or application.
Millions vulnerable
Although some versions of Windows do not come with Java preinstalled and older versions of Java are not affected, Thomas Kristensen, chief technology officer at Secunia says millions of internet users are probably vulnerable. "If you were to visit a malicious website it could gain complete access to your system," he told New Scientist.
Kristensen adds that, if such a flaw could be exploited, "it would be fairly easy to make the changes so that [a worm] would be truly cross-platform".
Java was designed with security in mind and Java applets are normally restricted from performing any actions on a computer outside the boundary of a "sandbox". This is built into the Java Runtime Environment, which translates Java code into a form that can be understood by the computer system.
But the bug, discovered by an independent Finnish researcher, Jouko Pynnonen, could be used to make an applet reach outside its sandbox and meddle with a victim's computer.
Avoiding the flaw
"Such [an] applet can then take any action which the user could: browse, read, or modify files, upload more programs to the victim system and run them, or send out data from the system," writes Pynnonen in an alert on his website.
"Java is a cross-platform language so the same exploit could run on various [operating systems] and architectures," Pynnonen adds in his alert, issued on 23 November.
The Java Plugin comes bundled with both the Java Software Developers' Kit and the Java Runtime Environment. The only way to avoid the flaw is to upgrade to the latest versions of each.
The Java Plugin flaw is known to affect both Microsoft's Windows platform and the Linux operating system. It has also been tested on Internet Explorer and rival browsers Firefox and Opera. However, the flaw is not yet known to affect Apple's OSX operating system.
The Java language was released by Sun Microsystems in 1994 and incorporated into the Netscape web browser soon after.
Will Knight
Java(TM) 2 Runtime Environment
You'll have to accept the license agreement, hit 'Continue' and then scroll down to find the appropriate installation executable for your operating system.
For directions to 1.5.0, see this link on Free Republic:
http://www.freerepublic.com/focus/f-news/1287342/posts
So whats the bug? I could crank out a nice little applet over the holiday! >:-)
IE is bad enough on its own. I'd been surfing the web for more than ten years and just got hijacked by a secret IE 'toolbar' the other day - some REALLY obnoxious thing from a 'Perezzz Software', apparently with an .ru domain (a Soviet operation?). Darned thing literally installed itself on my PC, just like a program, with its own sub-directory in Program Files, a bunch of registry entries, that Sypbot and Adaware didn't even recognize. I found some others that did spot it, and one site that gave specific instructions on how to remove it from disk AND the registry. Amazing. I can't imagine how IE could allow a website to secretly install a program on a client HD. It's amazing! You literally can't even control windows from windows in javascript for security concerns - but which would be useful for client-side automation. And yet here you have a program that is automatically installed simply for visiting a web page. Just . . . ! I mean it could have been a virus that wiped the entire HD!
I stopped using IE after discovering FireFox. FireFox isn't perfect, but it's less vulnerable to hacks than IE appears to be. And the tabbing feature in FireFox is a real plus.
So whats the bug? I could crank out a nice little applet over the holiday! >:-)
If I knew, I wouldn't tell, but since I don't, I can't!
"However, the flaw is not yet known to affect Apple's OSX operating system"
Yikes!... dodged another one!
I downloaded JRE 5 yesterday. Uninstall old .v , and then go to developer download. .v 5 is not linked to the green 'update' button as of yesterday.
You can do that in Konqueror.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.