March 08, 2001, 2:30 PM — A vulnerability in certain components of Sun Microsystems Inc.'s Java software could allow an attacker to execute malicious commands on a victim's computer, the company revealed last week.
But the circumstances necessary to exploit this hole are "relatively rare," the company claimed in an advisory that was posted in the archive of Bugtraq at www.securityfocus.com.
The problem appears in various releases of Sun's Java Runtime Environment for the Linux, Windows and Solaris operating systems.
Versions 1.2.2_005 and Versions 1.2.1_003 and earlier of Sun's Java Development Kit and Runtime Environment are affected, according to a Sun spokesman.
Exploiting Changed Settings
The hole permits "the execution of commands from outside of the Java environment," the spokesman said. Typically, the permission needed to run such commands isn't given by default in Java. So for the hole to be exploited, a user needs to have first changed the default setting and given permission for an outside command to be executed, the spokesman said.
"The default setting is to not execute anything without permission," he added. In order to exploit the hole, a cracker would first need to know where such default settings have been changed, the spokesman said.
Ryan Russell, an analyst at SecurityFocus.com in San Mateo, Calif., said that the problem "does not appear to be a huge one," based on available information. "But you really need to have more details than what Sun has made available so far to know exactly what circumstances are needed for this to occur," he added.
Sun also said that Netscape Navigator and Microsoft Corp.'s Internet Explorer aren't exposed to this vulnerability.
Sun advised users to upgrade to a newer release of the Java Runtime Environment and the Java Developer Kit.