Sun Patches Security Holes in Java Runtime Environment
January 22, 2007 Timothy Prickett Morgan
The past few weeks have been busy ones for patching security holes in the Java Runtime Environment that is at the heart of Sun Microsystems‘ Java programming language. Several vulnerability alerts for the JRE and the Java Development Kit (JDK) were issued the day after Christmas, and one more was issued on January 17.
If you want to find the details about these security vulnerabilities, go to the National Institute of Standards and Technology’s National Vulnerability Database and search for “JRE.” The alert posted on January 17 said that Sun JDK and JRE 5.0 Update 9 and earlier releases had a hole that would allow malicious Java applets to gain privileges on machines through a corrupted GIF image file, which would trigger a memory corruption (a buffer overflow) that could in turn allow a malicious coder into a machine. A spate of warnings issued on December 26 for earlier JDKs and JREs had similar security holes.
According to security monitoring site Secunia, these security holes have been patched by Sun, and they were rated highly critical security flaws. Sun fixed the flaws by issuing updates for the JRE 1.3, 1.4, and 5.0 software. You can read Sun’s own advisory on this issue here. Sun has patched Java for Windows, Linux, and Solaris platforms, which it supports with its own JDK and JRE software.
Because IBM creates its own JDK and JRE software, Sun’s patches do not work on IBM’s own operating systems. I bring this up merely so you know there is a potential problem so you can ask IBM what you need to do. Keep your eyes on the System i PTF Guide, which is brought to you by our good friends at DLB Associates, to find out if and when IBM makes its own patches for this GIF-related Java security hole. As of Sunday afternoon, January 21, there was nothing yet.