Java Virus Jumps Out of Sandbox
By Jim Wagner
Security researchers are calling attention to what they called a "fairly
significant" vulnerability in Sun Microsystems' (Quote, Chart) Java
virtual machine (define) that gives crackers (define) access to a user's
According to iDefense, the vulnerability targets the internal packages
within Sun's JVM on certain versions of Java 2, Standard Edition (J2SE)
1.4.2 running on the Unix and Windows platform with Internet Explorer
(IE), Mozilla and Firefox. The JVM (define) allows Java code to run on any
platform, regardless of the operating system.
With the JVM breached, the attacker has access to the user's network and
gives them privileges to access, download, upload or execute files within
the user's PC or workstation.
Officials at the security outfit confirmed its existence on J2SE 1.4.2_01
and J2SE 1.4.2_04 and suspect it resides in other builds of the Java
technology. Sun was notified of the exploit June 29 and issued an update
to the affected software with build 6, published on the Sun Web site Oct.
11, according to officials at the software company.
According to Michael Sutton, iDefense director, what makes this
vulnerability stand out is Java's otherwise secure method of preventing
Java applets from accessing local data without permission, contained in
packages, a user would normally have to sign an online certificate saying
they trust the information coming from the issuer before it could execute.
way it calls them," he said. "Normally, you should not be able to access
anything outside the sandbox and this vulnerability allows you to do so.
The exploit itself is pretty trivial, it's not very detailed, it's just a
flaw in the implementation."
While iDefense experts say the target user must be running a browser on
top of the JVM for the exploit to happen, it's possible to create a
cross-platform, cross-browser exploit that would give the attacker the
same privileges as the victim.
Users can download the latest version of the J2SE Java Runtime Environment
(JRE) 1.4.2 here. A complete list of bugfixes in build 6 can be found
or use a third-party vendor's virtual machine (VM), like the Microsoft VM.
A spokesman for Sun was not immediately reachable.
Article quoted directly from: