Java Bug Makes IE, Firefox Vulnerable ("Highly Critical" - Update Required)

TechWeb ^ | November 23, 2004 | TechWeb News

[Eagle9]

A flaw in Sun's Java Virtual Machine can open up the two most popular browsers, Microsoft's Internet Explorer and Mozilla's Firefox, to attack, security researchers said Tuesday.

According to Reston, Vir.-based iDefense and Danish security vendor Secunia, the bug in Java 2 Runtime Environment (JRE), Standard Edition could let attackers bypass the Java security "sandbox" and all security restrictions within Java applets on Web sites.

JRE is the plug-in software that establishes a connection between the browser and the Java platform, and makes it possible for Web browsers to run Java applets stashed on Web sites.

Hackers using the exploit could essentially can complete control of the compromised computer, said iDefense, letting them "access, download, upload, or execute files as well as access the network."

iDefense confirmed that the vulnerability exists on J2SE 1.4.2_01 and 1.4.2_04, and may also be within earlier versions as well.

Because the bug exists in Java, it's not limited to one browser. "Various browsers such as Internet Explorer, Mozilla, and Firefox on both Windows and Unix platforms can be exploited if they are running a vulnerable Java Virtual Machine," said iDefense in its online advisory.

Finnish researcher Juoko Pynnonen, who first spotted the vulnerability, noted that although his test exploit wouldn't work on Opera Software's Opera browser -- it uses a slightly different method to connect to JavaScript and Java -- it still may be vulnerable to a variation of the exploit.

Pynnonen brought the problem to Sun's attention in late April, 2004, but Sun has only now posted an update -- J2SE 1.4.2_06 -- on its Web site.

Secunia rated the vulnerability as "Highly critical," and urged users to update Java 2 immediately.
______________________________________________________

Source: Download Java 2 Platform, Standard Edition, v 1.4.2 (J2SE)

J2SE 1.4.2

Download Java 2 Platform, Standard Edition, v 1.4.2 (J2SE)

Downloads

 

Reference

-	API Specifications
-	Documentation
-	White Papers
-	Compatibility

 

Community

-	Bug Database
-	Forums

 

Learning

-	Tutorials & Code Camps
-	Online Sessions & Courses
-	Instructor-Led Courses
-	Course Certification

 

 

NetBeans IDE + J2SE SDK		J2EE 1.4
This distribution of the J2SE Software Development Kit (SDK) includes NetBeans IDE, which is a powerful integrated development environment for developing applications on the Java platform. More info... Download J2SE v 1.4.2_04 SDK with NetBeans 3.6 Bundle		The Java 2 Enterprise Edition 1.4 SDK adds support for EJBs, JSPs, XML, and Web Services APIs in a single bundle. More info... Download J2EE 1.4 SDK

J2SE v 1.4.2_06  SDK  includes the JVM technology
The J2SE Software Development Kit (SDK) supports creating J2SE applications. More info...
Download J2SE SDK
Installation Instructions   ReadMe   ReleaseNotes   Sun License   Third Party Licenses

	J2SE v 1.4.2_06  JRE  includes the JVM technology
The J2SE Java Runtime Environment (JRE) allows end-users to run Java applications. More info...
Download J2SE JRE
Installation Instructions   ReadMe   ReleaseNotes   Sun License   Third Party Licenses

	J2SE v 1.4.2 Documentation
	J2SE 1.4.2 Documentation
	Installation Instructions for Documentation
	License
		Solaris OS Patches	Solaris SPARC	Solaris x86
	Patches
	Other Downloads
	Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 1.4.2

Supported System Configurations

Get J2SE on DVD or CD

Confused or having trouble downloading or installing?
See the download help.

[ScottM1968]

To everyone: Don't try to download the bad version (which may be the one listed above). Go to java.com and download Java version 1.5 under the Free Download area in green.

This is the latest version and it has many enhancements for speed for newly-written code.

[Eagle9]

I hate to post and run, but I'm in dire need of sleep.

[TomGuy]

At the Sun link, the verion is 1.4.2.06
At the Java.com link, the version is 1.4.2.05

[ScottM1968]

Sorry about that. You will need to go under the Developer's tab to get 1.5.0. That tab area is purple.

Look for J2SE 5.0. On the right hand side under "Popular Downloads" is the J2SE 5.0 download area. Once there choose the "J2SE 5.0 JRE" (which is the latest Java Runtime Environment).

That address, if you want to go right there, is as follows:

http://java.sun.com/j2se/1.5.0/download.jsp

[goldstategop]

I've already installed it and uninstalled all my previous JRE's.

[FastCoyote]

Thanks for the update. I'm developing in Java and it's important to know of sandbox vulnerabilities.

[flashbunny]

tag. And I just installed firefox, too!

[Boomer Geezer]

PING -- FYI

[Boomer Geezer]

So let me get this straight ... download the new version, uninstall any previous version of JAVA I have on the system, and then install the new one, right?

The new install won't overlay the old one? Or is it just safer to uninstall the old and install the new?

[dennisw]

Esay link for this quick and easy Java 2 downlaod--->>

http://java.com/en/download

[ScottM1968]

That is a link that will let you download the previous bad 1.4.2. The newer 1.4.2 is listed above (version 6, I think) and the best version is 1.5.0 also listed above in the developer's section.

[dennisw]

Holy cow. I screwed that up?

[ScottM1968]

Hey, don't worry. I expected it the "Free Download" link to give the new 1.5.0 I've had for several months.

We were both wrong and Sun hasn't updated its own link.

[ChefKeith]

When Y'all decide what one we REALLY need please make the link in large bold print, Thanks

[ScottM1968]

Download 1.5.0 here:

http://java.sun.com/j2se/1.5.0/download.jsp

Choose the JRE because you don't need the extra developer tools.

This has a huge number of bug fixes in it over the 1.4.2 series.

[Khurkris]

OK,,silly question for those of us who are technically impaired.

I am not a developer, just an internet computer user. I use FF 1.0. Do I need to worry about this and DL this new Java jive thing?


Thanks!

[dennisw]

http://javashoplm.sun.com/ECom/docs/Welcome.jsp?StoreId=22&PartDetailId=jre-1.5.0-oth-JPR&SiteId=JSC&TransactionId=noreg


Probably

[ChefKeith]

Probably ?

How probably????? Heck is this something the average web surfer even needs?

[ChefKeith]

see 18 & 19 please