Java Virtual Machine flaw

Discussion in 'other security issues & news' started by spy1, Nov 24, 2004.

Thread Status:
Not open for further replies.
  1. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    http://www.vnunet.com/news/1159632

    "Security experts have warned that millions of computer desktops are at risk from a newly discovered vulnerability in Sun Microsystems' Java Virtual Machine (JVM).

    IT security firm CyberGuard claimed that the Java flaw, which is present in the JVM on most desktop computers, "poses a significant security threat because it will not be closed by the usual Microsoft update process".

    "JVM is used extensively by many online services such as maps or chat portals," said Horst Joepen, chief executive of CyberGuard's Webwasher subsidiary.

    "This vulnerability could have a major impact on most enterprises, since even those with strict security policies do not usually forbid the download or use of Java."

    Joepen explained that the vulnerability is currently available only as a 'proof of concept' code, and that there had been no recorded outbreak of a virus or worm.

    However, he said that once a "vulnerability of this magnitude" is exposed, it is usually not long before the hackers produce an exploit.

    "Most PCs are vulnerable, since JVM is downloaded when users try to access websites that check for a JVM and then ask the user to automatically install it," Joepen said. "Since the Sun JVM is not part of Windows, Microsoft patches won't help." "

    (My apologies if this has already been covered). Pete
     
  2. nadirah

    nadirah Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    3,647
    What the heck... yet another flaw. :mad:
     
  3. MikeBCda

    MikeBCda Registered Member

    Joined:
    Jan 5, 2004
    Posts:
    1,627
    Location:
    southern Ont. Canada
    One thing that totally confuses me is that I'm sure I had read somewhere that the ..._06 JRE update had fixed this vulnerability. And yet both the Java Control Panel's Update button and the download site itself tell me that my _05 is right up to date.
     
  4. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    Don't rely on the update button in sun java control panel it lies to you

    it says you have the latest version when you haven't

    I thought I was fully updated cos I check weekly and found I was still running 1.41.6

    the safest solution is uninstall java first from add/remove programs and then go to http://www.java.com/en/index.jsp

    and press the get it now button

    Makes it much easier than navigating the maze of confusing links on the sun java pages

    and it appears that an upgrade does not fully remove the old version and a few problems can occur so an uninstall & full install works better
     
  5. MikeBCda

    MikeBCda Registered Member

    Joined:
    Jan 5, 2004
    Posts:
    1,627
    Location:
    southern Ont. Canada
    Thanks dvk, got the _06 just fine after I'd uninstalled _05 first, as you suggested.

    Oddly, even the "get it now" button/link took all of 2 seconds to advise that my _05 installation was right up to date, if I didn't uninstall it first.
     
Loading...
Thread Status:
Not open for further replies.