Companies facing wave of Internet threats

Enterprises are facing new Internet threats from several different directions this week, with serious security flaws disclosed in the Java Runtime Environment (JRE), Windows and Internet Explorer, and exploit code released to exploit a recent flaw in the Mozilla Firefox browser.

Sun Microsystems has warned of seven serious security bugs in JRE, which could allow malicious Java applets to get around the "sandbox" that normally screens applets off from the rest of the operating system. The bugs are due to various unspecified errors in JRE's "reflection" APIs, Sun said.

The flaws, which affect recent versions of JRE on Windows, Solaris and Linux, could give malicious applets the same access to the operating system as the user running the applet, Sun said. "For example an applet may grant itself permissions to read and write local files or execute local applications that are accessible to the user," Sun said in an advisory.

More details and patching instructions are available in the advisory. No workaround is possible, Sun said. Secunia, which maintains a vulnerabilities database, gave the bugs a "highly critical" rank.

Microsoft bugs

Microsoft warned of two unpatched vulnerabilities, one affecting Windows and one affecting older versions of Internet Explorer. Microsoft released an advisory detailing a workaround for the IE flaw, and a separate advisory with a workaround for the Windows flaw.

The browser flaw affects only IE 5.0 on Windows 2000 Service Pack 4 and IE 5.5 on Windows Millennium, according to Microsoft; that said, vulnerabilities affecting only older platforms have recently shown that they can cause significant problems. The bug allows the use of a maliciously crafted Windows Metafile (WMF) image to take over a system, Microsoft said.

It is separate from another WMF-related bug that has been widely exploited on the Internet in recent days, according to the company.

The second bug relates to proof-of-concept code released by two Princeton University researchers, demonstrating that Access Control Lists (ACLs) used in third-party Windows applications can be easily used to give applications elevated privileges. The code also attempts to escalate a user's privileges by exploiting default services of Windows XP Service Pack 1 and Windows Server 2003.

The company admitted that Windows was vulnerable, but downplayed the risk posed by the proof-of-concept code. "Users who run Windows XP Service Pack 1 and Windows Server 2003 Gold may be at risk, but the risk to Windows Server 003 users is reduced," the advisory said.

Users can further reduce the risks using workarounds to change the default ACLs in the affected systems, as detailed in the advisory.

Earlier in the week, Microsoft said it was investigating reports of a remotely exploitable buffer overflow in HTML Help Workshop, Windows' built-in help system, which could allow attackers to take over a system using a specially crafted .hhp file. Security researchers had warned that exploit code for the .hhp flaw was circulating on the Internet.

Firefox exploit code

Mozilla Firefox users face a similar threat at present, with two pieces of exploit code now publicly circulating that can affect a bug patched last week.

The problem affected only users of Firefox 1.5 on Mac OS X or Linux, and was fixed late last week with the Firefox update, according to Firefox developers. Firefox 1.5 automatically updates users by default, and developers said most users had already been upgraded by the time the exploits were released as part of the Metasploit Framework.

Nevertheless, the browser maker on Tuesday raised its assessment of the bug to "critical," its most severe rating, following the publication of the exploit code.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Matthew Broersma
Show Comments

Brand Post

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?