Hello,

Over the last few days it has come to light that there is a critical vulnerability within the Sun java JVM(not MSJAVA). It is exploitable through some simple javascript that any malicious website can serve up.

The following is copied from the BugTrack mailing list:

Sun Java Plugin arbitrary package access vulnerability
OVERVIEW
========

Sun Microsystem's Java Plugin connects the Java technology to web
browsers and allows the use of Java Applets. Java Plugin technology is
available for numerous platforms and supports major web browsers.

A vulnerability in Java Plugin allows an attacker to create an Applet
which can disable Java's security restrictions and break out of the
Java sandbox. The attack can be launched when a victim views a web page
created by the attacker. Further user interaction is not required as
Java Applets are normally loaded and started automatically.

Such Applet can then take any action which the user could: browse,
read, or modify files, upload more programs to the victim system and
run them, or send out data from the system. Java is a cross-platform
language so the same exploit could run on various OS'es and
architectures.

VULNERABLE VERSIONS
===================

The Java Plugin versions 1.4.2_04 and 1.4.2_05 were tested on Windows
and Linux. Web browsers tested were Microsoft Internet Explorer,
Mozilla Firefox and Opera. It should be noted that Opera uses a
different way of connecting JavaScript and Java which caused the test
exploit not to work on Opera. However the problem itself (access to
private packages) was demonstrated on Opera too, so it may be
vulnerable to a variation of the exploit.

SOLUTION
========

Sun Microsystems was informed on April 29, 2004 and has fixed the
problem in J2SE 1.4.2_06, available at

http://java.sun.com/j2se/1.4.2/download.html

CREDITS
=======

The vulnerability was discovered and researched by Jouko Pynnonen,
Finland.

optomistic,

Have you clicked on the link I posted above?

J.

Have done, not sure which to download

That took some sorting, showing browser is now secure with no vulnerabilities. Previously showed high risk vul...
thank you J

Err Help!
I've followed the link and there's several potential downloads here..
don't know which one I'm supposed to choose...

Tried twice to d/load but I haven't got enough virtual memory(I knew I was going senile)help!!!

emailpat, check to see if your PC has allocated the correct paging file size. Recommended 718 mgbites for XP. Don't know about the other systems. Access to info through control panel..click on system. You will find it in there.

I have version 06 and done a browser check which turned out O K , what is the full check option ?

stockbunny:

Try http://www.java.com/en/download/manual.jsp

and select the Windows Download button (the first one).

optomistic- TKS

Thanks MightyMicro & Opto - still having fun with this..LOL!

PLease note that some of you will be using Microsoft VM, and not Java so this in which case this would not be applicable to you.

To check to see if you are running NM or Java, go to tools at the top of your screen, and click on internet options and then advanced - in the long list you will see either of these or both and the one which you are using will be ticked.

Thanks

Ian

Cheers Ian!

Following your post 13, Ian, I have Microsoft VM with the 'JIT compiler for virtual machine enabled' ticked. Does this mean I can stop worrying about this thingy then?

Priscilla - exactly - just majke sure you keep your windows updates up to date as it were :)

Ian

Thanks, Ian!! Yippeeeee!