JavaFAQ Home » Security
Java flaw could lead to Windows, Linux attacks
A flaw in Sun Microsystems' plug-in for running Java on a variety of browsers
and operating systems could allow a virus to spread through Microsoft Windows
and Linux PCs.
The vulnerability, found by Finnish security researcher Jouko Pynnonen in April,
was patched last month by Sun, but its details were not made public until
Tuesday. Security information provider Secunia posted information about the flaw
in an advisory that rated it a "highly critical" threat.
The Java plug-in enables small Web programs, known as applets, to run safely on
a user's computer. But the security flaw allows a malicious Web site accessed
through a victim's browser to bypass those protections.
"It allows execution of attacker-supplied code without user interaction
(apart from viewing a Web page) which usually means a 'critical'
classification," Pynonnen stated in an e-mail interview with CNET News.com.
"The same exploit could also be used against various operating systems and
browsers, which makes it more serious," he added. The vulnerability can be
used to attack systems running on Windows or Linux, for example, and using major
browser software such as Microsoft's Internet Explorer and Firefox--meaning a
large number of systems are vulnerable to attack.
An attacker could use the flaw to do anything the victim normally could,
including browse, modify or run files, upload more programs to the victim's
system, or send out data from the system, Pynnonen wrote in an advisory dated
While the major browsers have had to deal with a significant number of security
issues, the flaw is a rare black eye for the security of Sun's Java technology.
Java is designed to be able to run programs downloaded from the Internet on
various operating systems safely, without danger to a PC. The
"sandbox" that cordons off Java applets from the rest of the system
has typically worked well.
execute functions of Java that were never meant to be run by external programs.
Last week, while announcing details of Sun's forthcoming Solaris 10 operating
system, President Jonathan Schwartz noted that Java hasn't been afflicted by a
single Java virus.
However, the new security hole could allow a virus to use the Java plug-in to
invade PC systems. In October, a flaw in the Java plug-in for cell phones raised
the specter that a malicious program disguised as a helpful application could
attack a phone's software, if run by a user.
Printer Friendly Page
Send to a Friend
Search here again if you need more info!