Java: Sun Set to Deliver Software Fix for Java Development Kit Security Bug - Product Information

Edge: Work-Group Computing Report, March 29, 1999

Sun Microsystems, Inc. Friday announced it has created a fix to a newly discovered implementation bug in the Java Development Kit (JDK) that affects both JDK 1.1.x and the Java 2 platform.

The bug poses a potential security risk by allowing an untrusted applet to execute unverified code under certain circumstances. There are no reports of any attacks based on this bug.

After being briefed on the bug, Sun created and tested a fix. Releases of the patch for all Java 1.1.x platforms and the Java 2 platform are imminent. The fix will also be available as a part of JDK 1.1.8 and Java 2, v 1.2.1, both scheduled for release in April.

The bug was discovered by a German graduate student as part of a research project and was reported to Sun on March 11, 1999 by Ed Felton, who heads the Princeton University Secure Internet Programming Lab.

"It is important to keep in mind that this is an implementation bug and not a flaw in the basic Java platform security model or architecture," said Jon Kannegaard, vice president and general manager, Java Platform at Sun Microsystems Java Software.

"We invite scrutiny from the Internet community and publish our source code so that the community will be able to analyze our security implementations and give us valuable feedback on the architecture and our implementation. We firmly believe that this is the best way to evolve the Java platform security model in this spirit of openness."

Kannegaard continued, "Sun takes every security-related implementation flaw in Java code very seriously and we thank the Princeton team for their contribution to the Java platform." FMI: http://java.sun.com/sfaq.> With more than $10.5 billion in annual revenues, Sun can be found in more than 150 countries and on the World Wide Web at http://sun.com.