Wednesday, December 20, 2006

Sun Releases Security Information -- After Fixes

Sun Microsystems released details regarding the security issues in Java that were fixed with the update to Version 9. That is correct -- Java SE 5, Version 9. Even though version 10 and now Java SE 6.0 have both been released, we are now finding out what was previously fixed.

If Microsoft followed Sun Microsystem's policy of providing the details of vulnerabilities fixed at the time of the NEXT or subsequent update, the public and the press would be screaming so loud the walls would reverberate in Redmond. This is just plain irresponsible on the part of Sun Microsystems!

It is also next to impossible to find what has been fixed at the Sun website. I located the details at Heise Security:
"Among other things, two buffer overflows have been resolved in the Java Runtime Environment (JRE) that allowed system resources to be accessed by non-trusted applets, which could then read, write, and execute arbitrary files with the user's rights. Two additional flaws in the serialization of JRE also allowed an applet to gain more rights. Finally, two weak points allow one applet to access the data of another applet. The flaws are found in the DK and JRE versions up to 1.4.2_12, with some even in 1.3.1_18. Updates (1.4.2_13 and 1.3.1_19) have also been made available for these flaws."
"Also see:
It is very important to uninstall prior versions of Sun Java when updating. Please see the illustrated instructions here for updating Sun Java.

No comments: