Sun Microsystems says a Java security hole, which was called "as bad as it gets" by security experts, has now been patched.
Sun released Java SE 6 Update 2 on Friday in the US, which the company said is no longer vulnerable to the flaws, which were highlighted by the Australian Computer Emergency Response Team (AusCERT) earlier that week.
The Java Runtime Environment vulnerabilities cited in the article were first reported by Chris Evans of Google's security team in October. He reported them to Sun, then to the public on May 15.
One flaw demonstrated in Evans' advisory shows an integer overflow in a JPEG image. Documented in CVE-2006-2788, this affects Sun Java Development Kit (JDK) before versions 1.5.0_11-b03, 1.6.x and 1.6.0_01-b06.
A second demo shows a local file being opened via the BMP image parser. This was documented in CVE-2006-2789 and affects Sun Java Development Kit (JDK) before versions 1.5.0_11-b03, 1.6.x and 1.6.0_01-b06 on Unix and Linux systems.
Sun spokeswoman Jacki DeCoster recommends that consumers go to Java.com and download Java SE 6 update 2, installing the latest version of the Java Runtime Environment. Additional information about the specific patches related to these vulnerabilities can be found on the company's SunSolve site.
