Hole Found in Sun's Java
A vulnerability in certain components of Sun Microsystems Inc.'s Java software could allow an attacker to execute malicious commands on a victim's computer, the company revealed last week.
But the circumstances necessary to exploit this hole are "relatively rare," the company claimed in an advisory that was posted in the archive of Bugtraq at www.securityfocus.com.
The problem appears in various releases of Sun's Java Runtime Environment for the Linux, Windows and Solaris operating systems.
Versions 1.2.2_005 and Versions 1.2.1_003 and earlier of Sun's Java Development Kit and Runtime Environment are affected, according to a Sun spokesman.
Exploiting Changed Settings
The hole permits "the execution of commands from outside of the Java environment," the spokesman said. Typically, the permission needed to run such commands isn't given by default in Java. So for the hole to be exploited, a user needs to have first changed the default setting and given permission for an outside command to be executed, the spokesman said.
"The default setting is to not execute anything without permission," he added. In order to exploit the hole, a cracker would first need to know where such default settings have been changed, the spokesman said.
Ryan Russell, an analyst at SecurityFocus.com in San Mateo, Calif., said that the problem "does not appear to be a huge one," based on available information. "But you really need to have more details than what Sun has made available so far to know exactly what circumstances are needed for this to occur," he added.
Sun also said that Netscape Navigator and Microsoft Corp.'s Internet Explorer aren't exposed to this vulnerability.
Sun advised users to upgrade to a newer release of the Java Runtime Environment and the Java Developer Kit.
» posted by ITworld staff
Computerworld
Symantec Backup Exec 12 and Backup Exec System Recovery 8 deliver industry leading Windows data protection and system recovery. Download this whitepaper to find out the top reasons to upgrade and how to get continuous data protection and complete system recovery.
Data and system loss — from a hard drive failure, malicious attack, natural disaster, or simple human error — can happen anytime. Don’t leave your business vulnerable. Make sure you have a secure recovery strategy in place. Symantec's latest backup and system recovery technology can efficiently restore critical applications, individual emails and documents and even restore your entire system in minutes in the event of a loss.
Businesses face a growing challenge to ensure that the IT environment is properly protected. Backup Exec 12 integrates with other applications in the Symantec family of products, to complement your current data protection strategy, keep your data securely backed up and make it recoverable when you need it most.
