JRun 3.0 and JRun 3.1 are the software developer's flagship Web services platform for Java 2 Enterprise Edition (J2EE) applications. Companies running the software on Windows NT 4 or Windows 2000 machines using IIS v4 and v5 are affected.
The vulnerability, discovered by developers in an NGS Software Insight security research advisory and reported to the CERT Coordination Center, is considered a high-risk bug, giving hackers remote administration of the company's entire Web server.
A patch can be found on Macromedia's download page and is already incorporated in JRun 4. Macromedia officials said anyone who has applied a security patch since November 2001 is safe from the vulnerability.
The bug was found when security experts at NGS Software put JRun through a buffer overflow test, also known as a denial of service (DoS) attack, and found a weakness in the ISAPI .dll. Hackers who access the ISAPI .dll directly as an application can swamp the Host Header field with too much information, causing the .dll to overwrite the field with a saved return address, giving them remote access to the entire Web server on a local SYSTEM account.
NGS Software reported the vulnerability to Macromedia back in April.
JRun, originally a software application developed by Allaire before Macromedia took over, has been a relatively bug-free piece of software. The only other reported vulnerability on the CERT site dates back to June 2000, with a "cross-site" scripting vulnerability, which has long since been patched.