Sun's Java Runtime Environment (JRE) contains serious security flaws that could allow remote attackers to execute applications on a system, the company has warned.

The bugs, patched in a new release yesterday, affect Windows, Unix and Linux platforms. The Java Software Development Kit (SDK) is also affected.

Sun outlined three separate vulnerabilities, each of which could independently allow a specially crafted Java applet, for example embedded in a Web page, to escalate its privileges. That could allow the applet to read and write local files and execute applications accessible to the user running the applet, with the user's privileges.

Ordinarily, Java applets are restricted from reading and writing files and executing applications by the Java "sandbox".

The JRE is the code used to execute Java applets on a local system, and is one of the most widely distributed client-side software products. Versions of the JRE are also found in unconventional systems such as mobile phones.

Secunia and FrSIRT, which maintain vulnerabilities databases, gave the vulnerabilities serious ratings - "highly critical" and "critical" respectively.

The first, unspecified vulnerability affects SDK and JRE 5.0 update 3 and earlier for Windows, Solaris and Linux, Sun said in an advisory.

The second advisory concerns three unspecified bugs in the use of the "reflection" API in the JRE. The first of the three "reflection" bugs can occur in SDK and JRE 1.3.1_15 and earlier, SDK and JRE 1.4.2_08 and earlier or JDK and JRE 5.0 Update 3 and earlier. The second and third of the flaws can occur in SDK and JRE 1.4.2_08 and earlier or JDK and JRE 5.0 Update 3 and earlier.

These bugs affect Windows, Unix and Linux versions of the JRE.

The third advisory warns of a bug in the Java Management Extensions (JMX) implementation included with the JRE. It affects SDK and JRE 5.0 Update 3 and earlier on Windows, Unix and Linux. Patches and instructions for patching are found in Sun's advisories.

A vulnerability with similar effects hit Sun's JRE almost exactly a year ago. That problem was within the access controls of the Java-to-Javascript data exchange in web browsers that use Plug-in technology, and lets Javascript load an unsafe class - something usually impossible.

In March, researchers discovered an attack using a Java .jar file to download malicious code onto a user's system. The attack represented a shift away from browser-specific technology such as ActiveX.