The problem affects various releases of versions 1.1 and 1.2 of the Java Runtime Environment for Linux, Microsoft's Windows and Sun's own Solaris operating system, the company said in the bulletin. "To the best of Sun's knowledge" the security hole doesn't affect Microsoft's Internet Explorer browser or Netscape's Navigator software, the Sun posting said.
In order for the security hole to be exploited, permission must be granted by a computer to run at least one Java command, according to the bulletin. "Since no permission is granted by default, the circumstances necessary to exploit this vulnerability are relatively rare," Sun said.
The vendor did not rule out that the bug may effect Java-based technology created by other vendors, but said it has notified Java licensees and made the fix available to them. Sun did not immediately return a call seeking further information.
The flaw has already been fixed in Sun's new Java 2 Platform, the company said. However, it does also affect certain releases of the Java Development Kit version 1.1. 6 and 1.1.7B.
Users are advised to upgrade to newer releases of the Java Runtime Environment and the Java Developer Kit. More detailed information can be found in the archive section of BugTraq, which can be accessed at http://www.securityfocus.com/.