Serious Java hole affects multiple operating systems
TechRepublic:
Serious Java hole affects multiple operating systems
Several versions of the Java Virtual Machine that have been in use for years contain a serious vulnerability. Although the problem was only recently disclosed, Sun has apparently known for 11 months that the Java RunTime Environment code contains a flaw that could allow an attacker to capture sensitive data by redirecting Web traffic.
Microsoft reports that this problem is a threat to anyone who connects to the Internet through a proxy server. A remote server could use a hostile Java applet to hijack the user’s HTTP connection to the proxy. It’s more than a bit ironic that proxy servers are normally used to improve security but the bug could allow attackers to redirect proxy Web traffic to a new destination.
Microsoft was the first to release a patch for this problem (MS02-013), but the threat isn’t confined to Internet Explorer users. This vulnerability also affects Netscape Navigator and Sun platforms. The Sun security bulletin HttpURLConnection is #00216. Mitre identifies this vulnerability in report CAN-2002-0058. Again, any system with an HTTP proxy server could be at risk.
According to Sun Microsystems, Netscape Navigator versions 6.1, 6.0.1, and 6.0, as well as Netscape Communicator version 4.79 and earlier, contain the vulnerable Java code. Microsoft’s Virtual Machine through build 3802 are all affected.
