Sun Microsystems Inc. patched 11 vulnerabilities in the Windows, Linux and Solaris versions of its Java Runtime Environment and Java Web Start Wednesday, including several rated critical by outside researchers.
The fixes to Java Runtime Environment (JRE) 1.3.1, 1.4.2, 5.0 and 6.0 plug holes that attackers could use to bypass security restrictions, manipulate data, disclose sensitive information or compromise an unpatched machine. Among the JRE bugs, Sun said in several security advisories, are two that allow attack code from malicious sites to make network connections on machines other than the victimized computer. One possible result, according to a paper by several Stanford University researchers that was cited by Sun: circumvented firewalls.
Other vulnerabilities in JRE and Java Web Start, a framework that lets Java-based applications launch directly from a browser, could be used by attackers to read local files, overwrite local files and hide Java-generated warnings.
Although Sun doe…