Companies facing wave of Internet threats

Enterprises are facing new Internet threats from several different directions this week, with serious security flaws disclosed in the Java Runtime Environment (JRE), Windows and Internet Explorer, and exploit code released to exploit a recent flaw in the Mozilla Firefox browser.

Sun Microsystems has warned of seven serious security bugs in JRE, which could allow malicious Java applets to get around the "sandbox" that normally screens applets off from the rest of the operating system. The bugs are due to various unspecified errors in JRE's "reflection" APIs, Sun said.

The flaws, which affect recent versions of JRE on Windows, Solaris and Linux, could give malicious applets the same access to the operating system as the user running the applet, Sun said. "For example an applet may grant itself permissions to read and write local files or execute local applications that are accessible to the user," Sun said in an advisory.

More details and patching instructions are available in the advisory. No workaround is possible, Sun said. Secunia, which maintains a vulnerabilities database, gave the bugs a "highly critical" rank.

Microsoft bugs

Microsoft warned of two unpatched vulnerabilities, one affecting Windows and one affecting older versions of Internet Explorer. Microsoft released an advisory detailing a workaround for the IE flaw, and a separate advisory with a workaround for the Windows flaw.

The browser flaw affects only IE 5.0 on Windows 2000 Service Pack 4 and IE 5.5 on Windows Millennium, according to Microsoft; that said, vulnerabilities affecting only older platforms have recently shown that they can cause significant problems. The bug allows the use of a maliciously crafted Windows Metafile (WMF) image to take over a system, Microsoft said.

It is separate from another WMF-related bug that has been widely exploited on the Internet in recent days, according to the company.

The second bug relates to proof-of-concept code released by two Princeton University researchers, demonstrating that Access Control Lists (ACLs) used in third-party Windows applications can be easily used to give applications elevated privileges. The code also attempts to escalate a user's privileges by exploiting default services of Windows XP Service Pack 1 and Windows Server 2003.

The company admitted that Windows was vulnerable, but downplayed the risk posed by the proof-of-concept code. "Users who run Windows XP Service Pack 1 and Windows Server 2003 Gold may be at risk, but the risk to Windows Server 003 users is reduced," the advisory said.

Users can further reduce the risks using workarounds to change the default ACLs in the affected systems, as detailed in the advisory.

Earlier in the week, Microsoft said it was investigating reports of a remotely exploitable buffer overflow in HTML Help Workshop, Windows' built-in help system, which could allow attackers to take over a system using a specially crafted .hhp file. Security researchers had warned that exploit code for the .hhp flaw was circulating on the Internet.

Firefox exploit code

Mozilla Firefox users face a similar threat at present, with two pieces of exploit code now publicly circulating that can affect a bug patched last week.

The problem affected only users of Firefox 1.5 on Mac OS X or Linux, and was fixed late last week with the Firefox 1.5.0.1 update, according to Firefox developers. Firefox 1.5 automatically updates users by default, and developers said most users had already been upgraded by the time the exploits were released as part of the Metasploit Framework.

Nevertheless, the browser maker on Tuesday raised its assessment of the bug to "critical," its most severe rating, following the publication of the exploit code.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Matthew Broersma

Techworld.com
Show Comments

Cool Tech

Toys for Boys

Family Friendly

Stocking Stuffer

SmartLens - Clip on Phone Camera Lens Set of 3

Learn more >

Christmas Gift Guide

Click for more ›

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Michael Hargreaves

Microsoft Office 365/Dell XPS 15 2-in-1

I’d recommend a Dell XPS 15 2-in-1 and the new Windows 10 to anyone who needs to get serious work done (before you kick back on your couch with your favourite Netflix show.)

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Cathy Giles

Brother MFC-L8900CDW

The Brother MFC-L8900CDW is an absolute stand out. I struggle to fault it.

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?