For educational purposes only

http://www.cnn.com/2001/TECH/internet/02/23/java.security.hole.idg/index.html

Sun warns of security hole in Java

February 23, 2001 Web posted at: 10:06 a.m. EST (1506 GMT)

by Douglas F. Gray

(IDG) -- A security vulnerability has been discovered in components of Sun Microsystems Inc.'s Java software, leaving some servers that run Java open to potential attack, according to a security bulletin issued by Sun and posted on the Bugtraq security list.

The problem affects various releases of versions 1.1 and 1.2 of the Java Runtime Environment for Linux, Microsoft Corp.'s Windows and Sun's own Solaris operating system, the company said in the bulletin. "To the best of Sun's knowledge" the security hole doesn't affect Microsoft Corp.'s Internet Explorer browser or Netscape's Navigator software, Sun said. In order for the security hole to be exploited, permission must be granted by a computer to run at least one Java command, according to the bulletin. "Since no permission is granted by default, the circumstances necessary to exploit this vulnerability are relatively rare," Sun said.

The Palo Alto, California-based vendor did not rule out that the bug may effect Java-based technology created by other vendors, but said it has notified Java licensees and made the fix available to them. Sun did not immediately return a call seeking further information.

The flaw has already been fixed in Sun's new Java 2 Platform, the company said. However, it does also affect certain releases of the Java Development Kit version 1.1. 6 and 1.1.7B.

Users are advised to upgrade to newer releases of the Java Runtime Environment and the Java Developer Kit. More detailed information can be found in the archive section of Buqtraq, which can be accessed at SecurityFocus.com.

-- K (infosurf@yahoo.com), February 23, 2001