A flaw in Sun Microsystems' plug-in for running Java on a variety of
browsers and operating systems could allow a virus to spread through
Microsoft Windows and Linux PCs.
The vulnerability, found by Finnish security researcher Jouko Pynnonen in
June, was patched last month by Sun, but its details were not made public
until Tuesday. Security information provider Secunia posted information
about the flaw in an advisory that rated it a "highly critical" threat.
The Java plug-in enables small Web programs, known as applets, to run safely
on a user's computer. But the security flaw allows a malicious Web site
accessed through a victim's browser to bypass those protections.
"It allows execution of attacker-supplied code without user interaction
(apart from viewing a Web page) which usually means a 'critical'
classification," Pynonnen stated in an e-mail interview with CNET News.com
"The same exploit could also be used against various operating systems and
browsers, which makes it more serious," he added. The vulnerability can be
used to attack systems running on Windows or Linux, for example, and using
major browser software such as Microsoft's Internet Explorer and
Firefox--meaning a large number of systems are vulnerable to attack.
An attacker could use the flaw to do anything the victim normally could,
including browse, modify or run files, upload more programs to the victim's
system, or send out data from the system, Pynnonen wrote in an advisory
dated Tuesday.
While the major browsers have had to deal with a significant number of
security issues, the flaw is a rare black eye for the security of Sun's Java
technology. Java is designed to be able to run programs downloaded from the
Internet on various operating systems safely, without danger to a PC. The
"sandbox" that cordons off Java applets from the rest of the system has
typically worked well.
However, the flaw allows small snippets of Web code, known as Javascript, to
execute functions of Java that were never meant to be run by external
programs.
Last week, while announcing details of Sun's forthcoming Solaris 10
operating system, President Jonathan Schwartz noted that Java hasn't been
afflicted by a single Java virus.
However, the new security hole could allow a virus to use the Java plug-in
to invade PC systems. In October, a flaw in the Java plug-in for cell phones
raised the specter that a malicious program disguised as a helpful
application could attack a phone's software, if run by a user.
Like the recent iFrame vulnerability in Microsoft's Internet Explorer, the
Java flaw could allow a malicious Web site to download and execute a program
that would compromise a visitor's PC.
"It could be easily used for spreading viruses or other malware," Pynnonen
said in the e-mail. "The exploit itself can't be easily embedded in e-mail,
because Java applets contained in e-mail aren't normally started
automatically. However an e-mail message could contain a link to a Web page
which has the exploit."
While Sun would not speculate on how the flaw could be used by attackers,
the company did say that it worked hard to distribute the patch for it to
all users.
"We took this very seriously, and we have gone the extra mile to post these
patches," a Sun representative said on Tuesday.
The advisories from Sun, Secunia and Pynnonen do not address whether the
problem could affect Apple Computer's Mac OS X operating system, which is
based on a Unix-like core of code, similar to Linux. The Sun representative
said that the Mac issue is being investigated.
Apple Computer was not immediately available for comment.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment