Secunia rated the flaws as 'highly critical' in a security advisory because they could allow a remote attacker to bypass security, gain system access, expose system and sensitive information and manipulate data.
Vulnerabilities were reported in the Java Developer Kit, Java Runtime Environment 6 Update 2 and earlier, JDK and JRE 5.0 Update 12 and earlier, Software Developer Kit and JRE 1.4.2_15 and earlier, and SDK and JRE 1.3.1_20 and earlier.
Problems included multiple unspecified errors that could allow hackers to use malicious applets or APIs to establish network connections on machines other than the originating host.
Other errors in Java Web Start could also be exploited to read or write local files or find the location of the Java Web Start cache.
An unspecified JRE error could also be used to move or copy arbitrary files on the system.
Sun credited Billy Rios, Dan Boneh, Collin Jackson, Adam Barth, Andrew Bortz, Weidong Shao, David Byrne and Peter Csepely with finding the vulnerabilities.
More details on the patches are available on the official Sun Security Blog.
Sun patches 'critical' Java flaws
By Matt Chapman on Oct 8, 2007 10:16AM