Security vulnerability in Sun's Java environment
Sun is warning of a security vulnerability in its Java Runtime Environment (JRE). A bug in unpack200, the program for unpacking Java archives, can be exploited by attackers using crafted JAR files to inject and execute arbitrary malicious code on a user's computer with the user's privileges. In certain circumstances, this can occur merely through visiting a crafted website.
The bug is in Java JDK and JRE versions 5.0 update 17 and 6 Update 12 and earlier versions of both on Windows, Linux and Solaris. Sun explicitly notes that versions 1.4.2 and 1.3.1 are not affected.
Users can identify the version of Java installed on their system using the command line command java -version. This information can also be obtained by entering about:plugins in the address bar in Firefox or visiting a special vendor website in IE. Affected users should update to Java 5 Update 18 or Java 6 Update 13 as soon as possible.
See also:
- Integer and Buffer Overflow Vulnerabilities in the Java Runtime Environment (JRE) "unpack200" JAR Unpacking Utility May Lead to Escalation of Privileges, security advisory from Sun Microsystems.
(djwm)