Update your Java Runtime Environment

malware_warningSun has published a security alert and recommends users of their Java Runtime Environment (which is in fact nearly everyone out there) to install the provided update as soon as possible. According to Sun’s document the loader for Java Applets contains integer and buffer overflow vulnerabilities.

This may lead to untrusted Java Applets escalating their access privileges at the system. Doesn’t sound scary? Well, it is: A specially prepared website may load such an applet and gain full system access, a.k.a. own the computer.

You can check if your installed Java Runtime Environment is up to date by visiting a web page from the manufacturer. It’ll offer you the latest recommended version for download. This is currently JRE 6 Update 13 and JRE 5 Update 18, repectively. Sun notes that JRE 1.4.2 and 1.3.1 are not affected by these vulnerabilites.

For newer Java versions Sun has finally managed to correct their installer so it removes the old version that is getting replaced. If you update from an older version (say, from before JRE 6 Update 11), you have to remove the old Java version in the software applet of the system control yourself. As Java Applets can request the runtime version they like, the system would still be vulnerable if you don’t uninstall the previous versions!

Dirk Knop
Technical Editor