Java News from Saturday, January 22, 2005

Fujitsu's uncovered a a couple of security holes in Java that could allow untrusted applets to do pretty much anything they want, at least on Windows with Internet Explorer. Other platforms and browsers are affected, though perhaps not as badly. The exploit requires JavaScript to be enabled as well. In eight years of watching Java, this is the first really serious security hole I've seen. Java 1.5 is not affected. However, Java 1.4.2_05 and 1.3.1_12 and earlier are affected. If you haven't yet upgraded to 1.3.1_15, 1.4.2_06 or 1.5, do so today. Or if you can't immediately do so, disable either Java or JavaScript in your browser. If you aren't sure what version of Java you have open a shell or DOS prompt and type java -version like so:

$ java -version
java version "1.4.2_05"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.4.2_05-141.3)
Java HotSpot(TM) Client VM (build 1.4.2-38, mixed mode)

Hmm, looks like I need to upgrade. However, Apple has not yet released a fix for this. It's not clear if Macs are vulnerable, but to be one the safe side I think I'll be disabling Java. OK, done, though it does seem that Mozilla needs a much better interface for removing plugins.