[5157] in Release_7.7_team
serious Java security hole
daemon@ATHENA.MIT.EDU (Alex T Prengel)
Wed Jun 15 19:57:26 2005
Message-Id: <200506152357.j5FNvCB1026728@dit.mit.edu>
To: cfyi@MIT.EDU, release-team@MIT.EDU, ops@MIT.EDU, swrt@MIT.EDU,
net-security@MIT.EDU
cc: alexp@MIT.EDU, facdev@MIT.EDU
Date: Wed, 15 Jun 2005 19:57:12 -0400
From: Alex T Prengel <alexp@MIT.EDU>
X-Spam-Score: 1.041
X-Spam-Level: * (1.041)
X-Spam-Flag: NO
I've just updated the Java Development Kit default version on Athena to
1.5.0 Update 2 (which had been installed several months ago but not made the
default) after I saw the following announcement on InfoWorld today:
Sun Microsystems issued alerts this week about vulnerabilities in its
Java platform that security researchers describe as critical that
could allow attackers to execute malicious code on targeted computers.
The affected software is Sun's Java Web Start and Java Runtime
Environment. Weaknesses in the programs could allow applications to
grant themselves permissions to write local files or execute other
applications, allowing an attacker to gain back-door access to
victims' computers. Such an attack could be carried out without any
visible symptoms, Sun said.
The vendor recommends users replace earlier J2SE (Java 2 Platform
Standard Edition) editions with a more recent version. J2SE 5.0 Update
2, released in March, repairs the flaw. Sun's most recent J2SE 5.0
release is Update 3. J2SE updates are available for download on Sun's
Web site.
Danish security firm Secunia rates the vulnerabilities "highly
critical," its second-highest classification, while the French
Security Incident Response Team gave it a "critical" rating, that
organization's highest advisory rank. Those rankings are reserved for
remotely exploitable vulnerabilities that can be executed without a
user's knowledge.
The update will be visible after the next overnight AFS release.
Alex