Enterprises are facing new Internet threats from several different directions this week, with serious security flaws disclosed in the Java Runtime Environment (JRE), Windows and Internet Explorer, and exploit code released to exploit a recent flaw in the Mozilla Firefox browser.
Sun Microsystems has warned of seven serious security bugs in JRE, which could allow malicious Java applets to get around the "sandbox" that normally screens applets off from the rest of the operating system. The bugs are due to various unspecified errors in JRE's "reflection" APIs, Sun said.
The flaws, which affect recent versions of JRE on Windows, Solaris and Linux, could give malicious applets the same access to the operating system as the user running the applet, Sun said. "For example an applet may grant itself permissions to read and write local files or execute local applications that are accessible to the user," Sun said in an advisory.
More details and patching instructions are available in the advisory. No workaround is possible, Sun said. Secunia, which maintains a vulnerabilities database, gave the bugs a "highly critical" rank.
Microsoft warned of two unpatched vulnerabilities, one affecting Windows and one affecting older versions of Internet Explorer. Microsoft released an advisory detailing a workaround for the IE flaw, and a separate advisory with a workaround for the Windows flaw.
The browser flaw affects only IE 5.0 on Windows 2000 Service Pack 4 and IE 5.5 on Windows Millennium, according to Microsoft; that said, vulnerabilities affecting only older platforms have recently shown that they can cause significant problems. The bug allows the use of a maliciously crafted Windows Metafile (WMF) image to take over a system, Microsoft said.
It is separate from another WMF-related bug that has been widely exploited on the Internet in recent days, according to the company.
The second bug relates to proof-of-concept code released by two Princeton University researchers, demonstrating that Access Control Lists (ACLs) used in third-party Windows applications can be easily used to give applications elevated privileges. The code also attempts to escalate a user's privileges by exploiting default services of Windows XP Service Pack 1 and Windows Server 2003.
The company admitted that Windows was vulnerable, but downplayed the risk posed by the proof-of-concept code. "Users who run Windows XP Service Pack 1 and Windows Server 2003 Gold may be at risk, but the risk to Windows Server 003 users is reduced," the advisory said.
Users can further reduce the risks using workarounds to change the default ACLs in the affected systems, as detailed in the advisory.
Earlier in the week, Microsoft said it was investigating reports of a remotely exploitable buffer overflow in HTML Help Workshop, Windows' built-in help system, which could allow attackers to take over a system using a specially crafted .hhp file. Security researchers had warned that exploit code for the .hhp flaw was circulating on the Internet.
Firefox exploit code
Mozilla Firefox users face a similar threat at present, with two pieces of exploit code now publicly circulating that can affect a bug patched last week.
The problem affected only users of Firefox 1.5 on Mac OS X or Linux, and was fixed late last week with the Firefox 22.214.171.124 update, according to Firefox developers. Firefox 1.5 automatically updates users by default, and developers said most users had already been upgraded by the time the exploits were released as part of the Metasploit Framework.
Nevertheless, the browser maker on Tuesday raised its assessment of the bug to "critical", its most severe rating, following the publication of the exploit code.