Note: This is an archival copy of Security Sun Alert 200870 as previously published on http://sunsolve.sun.com.|
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1000659.1.
Java 2 Platform, Standard Edition
Date of Resolved Release
A vulnerability in Java Web Start may allow an untrusted application to grant itself permissions to overwrite any file that is writable by the user running the application. This would include the user's .java.policy file which would allow the application to invoke applets or Java Web Start applications that can execute arbitrary code with the permissions of the user running the untrusted application.
Sun acknowledges, with thanks, John Heasman of NGSSoftware Limited, for bringing this issue to our attention.
This issue can occur in the following releases:
To determine the version of Java on a system, the following command can be run:
% java -version java version "1.5.0_02-b09"
There are no reliable symptoms that would indicate the described issue has been exploited.
To work around the described issue, disable Java Web Start applications from being launched from a web browser as follows:
1. On Windows, applications may also be launched from the desktop icon or from the "Start" menu if a shortcut was previously created for an application. Unknown applications should not be launched through the desktop icon or the Start Menu. Shortcuts can be removed by using the Java Web Start Application Manager through the "Application/Remove Shortcut" menu item. For more information, see:
2. It is also possible to launch applications through the command line in Windows. Unknown applications should not be launched through the command line. Sites may consider renaming the Java Web Start launcher ("javaws.exe" for Windows) to prevent Java Web Start from launching.
The launcher can be found at:
This issue is addressed in the following releases:
J2SE 5.0 is available for download at the following link:
J2SE 1.4.2 is available for download at the following link:
Note: When installing a new version of the product, it is recommended that the old affected versions be removed from your system. For more information, please see:
This solution has no attachment