Information Technology Services: Alerts Archive

ALARM Group ALERTclick for a description of ALARM, The Computing Alert System
Alert Number:  120204-02
Alert Date:  12/02/04
Alert Title:  Java Plug-in Security Bypass Vulnerability
Update-to:  None
OS/Platform/Application:  Browsers (on most any platform, e.g., Solaris, Windows, Linux) running Sun Java JRE 1.3.x, 1.4.x and Sun Java SDK 1.3.x, 1.4.x
Category:  ALERT
Severity:  HIGH
Attention:  System Administrators, Desktop Support Personnel

Summary:  The Java Plug-in from Sun Microsystems (part of the Java Runtime Environment 'JRE') allows for the establishment of a connection between popular web browsers and the Java platform. A common usage of this technology is the enabling of website applets to be run on a user's desktop. A vulnerability exists that may allow attackers to bypass the Plug-in's security measures and execute hostile applets that could access, up/download or execute arbitrary files on a vulnerable system.

Recommended Actions:  An upgrade is available for the SDK and JRE plug-ins (SDK/JRE 1.4.2_06 and later as well as SDK/JRE 1.3.1_13 and later are advertised by the vendor as viable resolution to this issue). If a system is determined to be using SUN JRE (On windows systems this can be determined by using: start>settings>control panel>add or remove programs and then searching for "Java 2 Runtime Environment" and making note of the listed version) then the upgrade package should be installed as per the instructions provided by Sun (listed in the references section below).

ITS Actions:  At this time, ITS is taking no specific additional actions to counter this threat. An update will be issued if this situation changes.

Resources:
Sun Security Alert:
http://sunsolve.sun.com/search/document.do?assetkey=1-26-57591-1

Java Manual Download Page:
http://java.com/en/download/manual.jsp

iDefense Alert on vulnerability:
http://www.idefense.com/application/poi/display?id=158&type=vulnerabilities&flashstatus=false

US-CERT Alert on vulnerability:
http://www.kb.cert.org/vuls/id/760344

NOTE:  PLEASE DO NOT REPLY TO THIS ALERT.  Alerts distributed by ALARM are not intended to supplant whatever security measures you are currently following. Technology coordinators, as well as the entire Ualbany computing community should continue to take all necessary precautions against threats to system security and information integrity.

Current Students  |  New Students  |  Distance Learners  |  Faculty  |  New Faculty  |  Staff
Training  |  Schedules / Hours  |  Forms  |  FAQs & User Guides  |  Policies  |  About ITS  |  Home

University at Albany homepage