Vulnerabilities found in Sun Java System Communications Express

Core says it has unearthed multiple critical vulnerabilities on this web-based communications and collaboration application that could affect large numbers of end user companies. If activated, it says, they could allow attackers to target users of the application through exploitation of cross-site scripting (XSS) bugs. "Cross-site scripting bugs are popular among attackers attempting to coax web applications into providing control of end users' browsers to carry out a wide range of malicious schemes," asserts Core CTO Ivan Arce. "It is very important that organisations take the necessary steps to ensure that the applications they build or licence from third parties are not susceptible to these types of exploits." And since Sun's Java System Communications Express is widely used for remote access to browser-based email, calendaring and task management, that message will apply to a lot of companies. In brief detail, the XSS issues reside in the suite's personal address book and another URL, and were initially discovered and researched by the security consulting services team at Core. CoreLabs si working with the Sun Security Coordination Team to create patches.