THREAT OF THE MONTH: Sun/Oracle Java SE

August 1, 2011
What is it?
A large number of vulnerabilities are reported in Sun/Oracle Java SE, which affect JDK and JRE 6 Update 25 and earlier, JDK 5.0 Update 29 and earlier and SDK 1.4.2_31 and earlier.

How does it work?
The critical vulnerabilities exist in various libraries and are of different classes. These range from a use-after-free error in the JP2IEXP.dll browser plug-in (when cloning the underlying DOM element) to multiple integer overflow errors in cmm.dll (when parsing various structures in color profiles) and a stack-based buffer overflow in jsound.dll within the “XExpandAiffIma()” function (when parsing IMA4 compressed soundbank streams).

Should I be worried?
Anyone with a vulnerable version installed should be very cautious when viewing web pages containing Java content.

How can I prevent it?

Oracle released updated versions in June, which can be installed to address the vulnerabilities.
 
prestitial ad