Updates for Java eliminate many security holes

July 10, 2008 – 5:59 AM

Sun Microsystems has issued updates for Java to eliminate many errors and vulnerabilities in the Java Development Kit (JDK) and the Java Runtime Environment (JRE). These include DoS vulnerabilities, buffer overflows and other errors that could cause a crash or allow a crafted applet to access certain resources, the filing system, or even the entire computer. Some of the errors are in Java Web Start, some in the Java Management Extensions (JMX) Management Agent, while others are in the functions that process XML data.

However, not all of the errors listed are contained in all versions. Users will have difficulty deciding which versions are actually affected by what, because Sun has divided its explanations of the individual problems over eight security advisories. Basically, all the errors listed are eliminated in the latest versions; JDK and JRE 6 Update 7, JDK and JRE 5.0 Update 16, SDK and J2SE 1.4.2_18 and SDK and J2SE 1.3.1_23.

The three older versions of Java – 1.3.1, 1.4.2 and 5 – have either entered the technology End of Life (EOL) transit period, or have already exceeded it. For 1.3.1, for example, there are only updates for Solaris. Support for 1.4.2 will end on 30 October 2008, and for version (1.)5 on 30 October 2009. After that, there will be no further security updates. So users should consider switching over immediately to version 6 – which is really 1.6. Since the Java installation programs don’t uninstall older versions of the software, users have to remove them manually, by for example, using system control under Windows.


You must be logged in to post a comment.