|
|
To print: Select File and then Print from your browser's menu
-------------------------------------------------------------- This story was printed from ZDNet Australia. --------------------------------------------------------------
|
Serious Java hole affects multiple operating systems By John McCormick, 0 March 28, 2002 URL: http://www.zdnet.com.au/insight/soa/Serious-Java-hole-affects-multiple-operating-systems/0,139023731,120264319,00.htm
Several versions of the Java Virtual Machine that have been in use for years contain a serious vulnerability. Although the problem was only recently disclosed, Sun has apparently known for 11 months that the Java RunTime Environment code contains a flaw that could allow an attacker to capture sensitive data by redirecting Web traffic. 
Threat levelââ,¬"Critical
Microsoft reports that this problem is a threat to anyone who connects to the Internet through a proxy server. A remote server could use a hostile Java applet to hijack the user's HTTP connection to the proxy. It's more than a bit ironic that proxy servers are normally used to improve security but the bug could allow attackers to redirect proxy Web traffic to a new destination. Applicabilityââ,¬"Any HTTP proxy server Microsoft was the first to release a patch for this problem (MS02-013), but the threat isn't confined to Internet Explorer users. This vulnerability also affects Netscape Navigator and Sun platforms. The Sun security bulletin HttpURLConnection is #00216. Mitre identifies this vulnerability in report CAN-2002-0058. Again, any system with an HTTP proxy server could be at risk. According to Sun Microsystems, Netscape Navigator versions 6.1, 6.0.1, and 6.0, as well as Netscape Communicator version 4.79 and earlier, contain the vulnerable Java code. Microsoft's Virtual Machine through build 3802 are all affected. Sun reports that the following products are specifically affected.
Microsoft Windows
Solaris operating environment releases
Solaris production releases
Linux production releases
This vulnerability does not affect the Java 2 SDK, Standard Edition, versions 1.4 and 1.3.1. Fixââ,¬"Update Java VM immediately Microsoft recommends that users update to Microsoft VM build 3805. Netscape says that Netscape 6.2 and 6.2.1 are not vulnerable, but the company recommends that users of any earlier version update to the newest version of the Sun JVM. Sun recommends that users update the Java releases listed above with the following software versions.
Microsoft Windows
Solaris OE reference releases
Solaris production releases
Linux production releases
Slow responseââ,¬"Sun doesn't shine Both Sun and Microsoft specifically thank Dutch security specialist Harmen van der Wal for bringing this threat to their attention, but according to a Newsbytes report, van der Wal claims that Sun had been sitting on knowledge of this critical threat for nearly a full year before it got around to releasing a fix. Although he expressly thanked Sun for its security efforts, he also blames the company for the 11-month delay. Sun's bulletin wasn't released until March 4, 2002, but van der Wal first reported it to Sun on April 7, 2001. He indicated that Sun acknowledged the vulnerability at that time. In a bulletin on the vulnerability, van der Wal stated that he will not release details about how to exploit the vulnerability for three months, out of concerns that hackers might take advantage of his report. But he also added, -Customers should not assume that the lack of vulnerability details at this time will prevent the creation of exploit programs."
TechRepublic is the online community and information resource for all IT professionals, from support staff to executives. We offer in-depth technical articles written for IT professionals by IT professionals. In addition to articles on everything from Windows to e-mail to fire walls, we offer IT industry analysis, downloads, management tips, discussion forums, and e-newsletters.
Copyright © 2009 CBS Interactive, a CBS Company. All Rights Reserved. |
