Sun Microsystems has patched serious security holes in its Java Runtime Environment (JRE), that allow remote attackers to execute arbitrary code on users' systems.
The JRE is code used to execute Java applets on local systems and is one of the most widely used client software products. JRE is also used on mobile devices, including smartphones.
The bugs affect the Windows, Unix and Linux operating systems and also the Java Software Development Kit (SDK).
Sun has patched three vulnerabilities in JRE, which all have the potential to allow a specially crafted Java applet, which could for instance be embedded in a web page, to extend its privileges on a system.
Such an applet could be used to read and write local files and execute applications, using the infected user's privileges.
Internet security company Secunia has classed the JRE vulnerabilities as "highly critical".
These latest vulnerabilities are similar to a JRE security hole that was patched 12 months ago by Sun.