Java Bug Makes IE, Firefox Vulnerable ("Highly Critical" - Update Required)

TechWeb ^ | November 23, 2004 | TechWeb News

[Eagle9]

A flaw in Sun's Java Virtual Machine can open up the two most popular browsers, Microsoft's Internet Explorer and Mozilla's Firefox, to attack, security researchers said Tuesday.

According to Reston, Vir.-based iDefense and Danish security vendor Secunia, the bug in Java 2 Runtime Environment (JRE), Standard Edition could let attackers bypass the Java security "sandbox" and all security restrictions within Java applets on Web sites.

JRE is the plug-in software that establishes a connection between the browser and the Java platform, and makes it possible for Web browsers to run Java applets stashed on Web sites.

Hackers using the exploit could essentially can complete control of the compromised computer, said iDefense, letting them "access, download, upload, or execute files as well as access the network."

iDefense confirmed that the vulnerability exists on J2SE 1.4.2_01 and 1.4.2_04, and may also be within earlier versions as well.

Because the bug exists in Java, it's not limited to one browser. "Various browsers such as Internet Explorer, Mozilla, and Firefox on both Windows and Unix platforms can be exploited if they are running a vulnerable Java Virtual Machine," said iDefense in its online advisory.

Finnish researcher Juoko Pynnonen, who first spotted the vulnerability, noted that although his test exploit wouldn't work on Opera Software's Opera browser -- it uses a slightly different method to connect to JavaScript and Java -- it still may be vulnerable to a variation of the exploit.

Pynnonen brought the problem to Sun's attention in late April, 2004, but Sun has only now posted an update -- J2SE 1.4.2_06 -- on its Web site.

Secunia rated the vulnerability as "Highly critical," and urged users to update Java 2 immediately.
______________________________________________________

Source: Download Java 2 Platform, Standard Edition, v 1.4.2 (J2SE)

J2SE 1.4.2

Download Java 2 Platform, Standard Edition, v 1.4.2 (J2SE)

Downloads

 

Reference

-	API Specifications
-	Documentation
-	White Papers
-	Compatibility

 

Community

-	Bug Database
-	Forums

 

Learning

-	Tutorials & Code Camps
-	Online Sessions & Courses
-	Instructor-Led Courses
-	Course Certification

 

 

NetBeans IDE + J2SE SDK		J2EE 1.4
This distribution of the J2SE Software Development Kit (SDK) includes NetBeans IDE, which is a powerful integrated development environment for developing applications on the Java platform. More info... Download J2SE v 1.4.2_04 SDK with NetBeans 3.6 Bundle		The Java 2 Enterprise Edition 1.4 SDK adds support for EJBs, JSPs, XML, and Web Services APIs in a single bundle. More info... Download J2EE 1.4 SDK

J2SE v 1.4.2_06  SDK  includes the JVM technology
The J2SE Software Development Kit (SDK) supports creating J2SE applications. More info...
Download J2SE SDK
Installation Instructions   ReadMe   ReleaseNotes   Sun License   Third Party Licenses

	J2SE v 1.4.2_06  JRE  includes the JVM technology
The J2SE Java Runtime Environment (JRE) allows end-users to run Java applications. More info...
Download J2SE JRE
Installation Instructions   ReadMe   ReleaseNotes   Sun License   Third Party Licenses

	J2SE v 1.4.2 Documentation
	J2SE 1.4.2 Documentation
	Installation Instructions for Documentation
	License
		Solaris OS Patches	Solaris SPARC	Solaris x86
	Patches
	Other Downloads
	Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 1.4.2

Supported System Configurations

Get J2SE on DVD or CD

Confused or having trouble downloading or installing?
See the download help.

[ScottM1968]

To everyone: Don't try to download the bad version (which may be the one listed above). Go to java.com and download Java version 1.5 under the Free Download area in green.

This is the latest version and it has many enhancements for speed for newly-written code.

[Eagle9]

I hate to post and run, but I'm in dire need of sleep.

[TomGuy]

At the Sun link, the verion is 1.4.2.06
At the Java.com link, the version is 1.4.2.05

[ScottM1968]

Sorry about that. You will need to go under the Developer's tab to get 1.5.0. That tab area is purple.

Look for J2SE 5.0. On the right hand side under "Popular Downloads" is the J2SE 5.0 download area. Once there choose the "J2SE 5.0 JRE" (which is the latest Java Runtime Environment).

That address, if you want to go right there, is as follows:

http://java.sun.com/j2se/1.5.0/download.jsp

[goldstategop]

I've already installed it and uninstalled all my previous JRE's.

[FastCoyote]

Thanks for the update. I'm developing in Java and it's important to know of sandbox vulnerabilities.

[flashbunny]

tag. And I just installed firefox, too!

[Boomer Geezer]

PING -- FYI

[Boomer Geezer]

So let me get this straight ... download the new version, uninstall any previous version of JAVA I have on the system, and then install the new one, right?

The new install won't overlay the old one? Or is it just safer to uninstall the old and install the new?

[dennisw]

Esay link for this quick and easy Java 2 downlaod--->>

http://java.com/en/download

[ScottM1968]

That is a link that will let you download the previous bad 1.4.2. The newer 1.4.2 is listed above (version 6, I think) and the best version is 1.5.0 also listed above in the developer's section.

[dennisw]

Holy cow. I screwed that up?

[ScottM1968]

Hey, don't worry. I expected it the "Free Download" link to give the new 1.5.0 I've had for several months.

We were both wrong and Sun hasn't updated its own link.

[ChefKeith]

When Y'all decide what one we REALLY need please make the link in large bold print, Thanks

[ScottM1968]

Download 1.5.0 here:

http://java.sun.com/j2se/1.5.0/download.jsp

Choose the JRE because you don't need the extra developer tools.

This has a huge number of bug fixes in it over the 1.4.2 series.

[Khurkris]

OK,,silly question for those of us who are technically impaired.

I am not a developer, just an internet computer user. I use FF 1.0. Do I need to worry about this and DL this new Java jive thing?


Thanks!

[dennisw]

http://javashoplm.sun.com/ECom/docs/Welcome.jsp?StoreId=22&PartDetailId=jre-1.5.0-oth-JPR&SiteId=JSC&TransactionId=noreg


Probably

[ChefKeith]

Probably ?

How probably????? Heck is this something the average web surfer even needs?

[ChefKeith]

see 18 & 19 please

[ScottM1968]

Yup. Your choice: 1.4.2.(version 6) or 1.5.0. The references are above and both should address the viral problem. Anything 1.4.2.(verson 5) or less is broken.

[ScottM1968]

I believe I read this is considered "Highly Critical".

[goldstategop]

Its a good idea. The new installation installs a new JRE to your system folders. After that look in Search then Files and Folders to remove the old JRE (its a cpl. file) applet from the Control Panel.

[goldstategop]

You don't need the full Java Standard Edition, unless you're a software developer. Most Windows users need the Java Runtime Environment, which is a Java subset that can display Java code and execute programs embedded on websites that require Java. The most dangerous aspect of Java is executing exploits but any good anti-virus software should block them. The security flaws in Internet Explorer have less to do with Java on the system than with Microsoft not coming out with a secure browser upgrade for Windows XP. Simply install Mozilla or Firefox browser and view websites with them to avoid being targeted by hackers.

[dennisw]

How probably????? Heck is this something the average web surfer even needs?.......


15mb download when you get a chance. I would do it and did it. I am not a crazy when it comes to computer security. Most problems come from file sharing (kazaalite) where you virus infected downloads and going to porn sites, crack sites and stupid sites that load mal-ware onto your machine. EG I downloaded a screen saver called "Rain of Gold" and spent the next few weeks getting crap ware off my home computer

[ScottM1968]

Unfortunately this specific problem is a problem with Mozilla and Firefox, too.

Only Opera with Java is not threatened.

[goldstategop]

Some people never learn. They know Kazaa is full of nasties but free music downloads are irresistable. Of course, there's a price for everything and as in life, nothing is ever truly free.

[goldstategop]

The advantage of open-source software is developers all over the world can see the bug's there and work to produce a fix for it. There's a good chance the next version of Mozilla/Firefox will have the security hole patched for good. MS isn't even trying.

[ChefKeith]

file sharing (kazaalite) where you virus infected downloads and going to porn sites, crack sites and stupid sites that load mal-ware onto your machine.

Not on MY machine!

Already running Spybot/Spywareblaster/AVG/Winpatrol daily anyway.

I pretty much live here on FR anyway.

Thanks for the info.

[dennisw]

Kazaalite was the place to go for music and software stuffs. It's a bare shadow of what it once was. All downloads from there must be virus scanned immediately or you'll have problems.

[ChefKeith]

Running 98SE and Mozilla with the above stuff also

[ScottM1968]

However, it's not a problem with the browser. It is specifically a problem with the Java Runtime.

The only reason Opera is okay is because it has a different interface to the Java Runtime that "accidentally" stops the straight-forward attempt to use the Java bug. It is thought that the Apple environment may also be at risk because the same Java bug exists everywhere.

[ChefKeith]

see #18 and download the 15 meg file for Windoz OS then close everything and install the file.

Love You

[ChefKeith]

Over here for software upgrade see #15 for link

[B4Ranch]

Thanks, but I don't use Java or ActiveX

[grannie9]

I've never seen such a confused mess in my life. Does anyone know which is the right link? Jeeeze.. talk about confusing.

[Khurkris]

Thanks for the reply...however, when I go to the page on post #15, there are multiple choices for DL. And none of them say Version 1.4.2 or Version 1.5.0.

Whats a person to do?

[the crow]

bump for later. need more coffee. thanks for the post.

[Eagle9]

Pynnonen brought the problem to Sun's attention in late April, 2004, but Sun has only now posted an update -- J2SE 1.4.2_06
_________________________________________________________

The J2SE Java Runtime Environment (JRE) allows end-users to run Java applications.

Install Formats

The install formats for a given platform install the same software but in a different manner.

Windows Installation
Saves download time if installing only some of the features. This install first downloads and runs a small program that prompts the user for options to download and install. The user must be connected to the Internet in order to complete this installation. Includes support for additional languages, fonts and media. This choice downloads and installs Microsoft Windows Installer 2.0 if not already installed. If you are behind an authenticated proxy server or if you are on Windows 2003, you must use the Windows Offline Installer instead. Before making this choice, turn off any download managers, other than the Sun Download Manager, if you are using it.

Windows Offline Installation
This downloaded file includes everything required to perform a complete installation. It can be copied to a machine that is disconnected from the network and executed to perform a complete or custom install. Includes Microsoft Windows Installer 2.0 and support for additional languages, fonts and media. Use this installer if the normal Windows Installer does not work.

---

Solaris Self-extracting File
This file can be used to install the Java 2 SDK in a location chosen by the user. This file can be installed by anyone (not only root users), and it can be installed in any location. It will not displace the system version of the Java platform supplied by the Solaris operating environment (unless you intentionally install it in the same location as the system's Java platform, which requires you to be root user).

Solaris Packages - tar.Z
A file containing Solaris SUNW* packages to be installed with the pkgadd utility. The SUNW* packages require root access to install, and they install by default in a location such that they replace the system version of the Java platform supplied by the Solaris operating environment.

---

Linux Self-extracting File
This file can be used to install the Java platform in a location chosen by the user. This file can be installed by anyone (not only root users), and it can be installed in any location. It will not displace the system version of the Java platform supplied by the Linux operating environment (unless you intentionally install it in the same location as the system's Java platform, which requires you to be root user).

Linux RPM
A Linux RPM package file to be installed with the rpm utility. The RPM packages require root access to install, and they install by default in a location such that they replace the system version of the Java platform supplied by the Linux operating environment.

Java(TM) 2 Runtime Environment, Standard Edition 1.4.2_06				Click below to download
	Windows Platform
				Windows Offline Installation, Multi-language (j2re-1_4_2_06-windows-i586-p.exe, 14.96 MB)
				Windows Installation, Multi-language (j2re-1_4_2_06-windows-i586-p-iftw.exe, 1.35 MB)
	Linux Platform
				RPM in self-extracting file (j2re-1_4_2_06-linux-i586-rpm.bin, 13.24 MB)
				self-extracting file (j2re-1_4_2_06-linux-i586.bin, 13.73 MB)
	Solaris SPARC Platform
				32-bit self extracting file (j2re-1_4_2_06-solaris-sparc.sh, 14.08 MB)
				64-bit self extracting file (j2re-1_4_2_06-solaris-sparcv9.sh, 4.47 MB)
	Solaris x86 Platform
				self-extracting file (j2re-1_4_2_06-solaris-i586.sh, 12.48 MB)

[TomGuy]

That is even more confusing.

At the Sun link, the verion is 1.4.2.06
At the Java.com link, the version is 1.4.2.05

Your new link says version 5, and their website says this:

J2SE 5 (formerly J2SE 1.5)

So, what actually is the latest, greatest? Can Sun afford to hire a Software Configuration Manager?

That posted link #11 says I have the latest version (I installed the 1.4.06 last nite).


Ok, I'm going for 5. hehehe.


[I just hate to install stuff that requires rebooting---it takes a week with the dozen spamware-catchers, virus scanners, ad-aware-finders I'm running. Ironically, each one has caught something that the others missed. No single one is comprehensive.]

[zeugma]

Note for Mozilla/Firefox users under Linux:

Make sure your symlink in your plugin directory points to the new version. Otherwise, Java will break in your browser.

If anyone needs details of how to do this, give me a shout.

[mlbford2]

I'm not exactly sure what that means. I just uninstalled Java and reinstalled the 1.4.2-.05. It seems to run fine. I couldn't find the .06.

[mlbford2]

Nevermind. I figured it out. Got version 5.

[ChefKeith]

see #18 I have installed it on 2 machines

[ChefKeith]

pick for your OS then you coose between installing fron the website or downloading the files to your machine and installing from your HDD

[ChefKeith]

coose=choose

[ChefKeith]

don't need to reboot after this one

[Palladin]

Bookmark for later...

[SeeRushToldU_So]

me too

[Doohickey]

That's because thanks to Sun Microsystems, Microsoft does not ship a Java-enabled browser any longer. So, please save your slobbering Microsoft hatred for a legitimate gripe on an appropriate thread.