Companies facing wave of Internet threats

Enterprises are facing new Internet threats from several different directions this week, with serious security flaws disclosed in the Java Runtime Environment (JRE), Windows and Internet Explorer, and exploit code released to exploit a recent flaw in the Mozilla Firefox browser.

Sun Microsystems has warned of seven serious security bugs in JRE, which could allow malicious Java applets to get around the "sandbox" that normally screens applets off from the rest of the operating system. The bugs are due to various unspecified errors in JRE's "reflection" APIs, Sun said.

The flaws, which affect recent versions of JRE on Windows, Solaris and Linux, could give malicious applets the same access to the operating system as the user running the applet, Sun said. "For example an applet may grant itself permissions to read and write local files or execute local applications that are accessible to the user," Sun said in an advisory.

More details and patching instructions are available in the advisory. No workaround is possible, Sun said. Secunia, which maintains a vulnerabilities database, gave the bugs a "highly critical" rank.

Microsoft bugs

Microsoft warned of two unpatched vulnerabilities, one affecting Windows and one affecting older versions of Internet Explorer. Microsoft released an advisory detailing a workaround for the IE flaw, and a separate advisory with a workaround for the Windows flaw.

The browser flaw affects only IE 5.0 on Windows 2000 Service Pack 4 and IE 5.5 on Windows Millennium, according to Microsoft; that said, vulnerabilities affecting only older platforms have recently shown that they can cause significant problems. The bug allows the use of a maliciously crafted Windows Metafile (WMF) image to take over a system, Microsoft said.

It is separate from another WMF-related bug that has been widely exploited on the Internet in recent days, according to the company.

The second bug relates to proof-of-concept code released by two Princeton University researchers, demonstrating that Access Control Lists (ACLs) used in third-party Windows applications can be easily used to give applications elevated privileges. The code also attempts to escalate a user's privileges by exploiting default services of Windows XP Service Pack 1 and Windows Server 2003.

The company admitted that Windows was vulnerable, but downplayed the risk posed by the proof-of-concept code. "Users who run Windows XP Service Pack 1 and Windows Server 2003 Gold may be at risk, but the risk to Windows Server 003 users is reduced," the advisory said.

Users can further reduce the risks using workarounds to change the default ACLs in the affected systems, as detailed in the advisory.

Earlier in the week, Microsoft said it was investigating reports of a remotely exploitable buffer overflow in HTML Help Workshop, Windows' built-in help system, which could allow attackers to take over a system using a specially crafted .hhp file. Security researchers had warned that exploit code for the .hhp flaw was circulating on the Internet.

Firefox exploit code

Mozilla Firefox users face a similar threat at present, with two pieces of exploit code now publicly circulating that can affect a bug patched last week.

The problem affected only users of Firefox 1.5 on Mac OS X or Linux, and was fixed late last week with the Firefox 1.5.0.1 update, according to Firefox developers. Firefox 1.5 automatically updates users by default, and developers said most users had already been upgraded by the time the exploits were released as part of the Metasploit Framework.

Nevertheless, the browser maker on Tuesday raised its assessment of the bug to "critical," its most severe rating, following the publication of the exploit code.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Matthew Broersma

Techworld.com
Show Comments

Cool Tech

Breitling Superocean Heritage Chronographe 44

Learn more >

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?