Note: This is an archival copy of Security Sun Alert 200883 as previously published on http://sunsolve.sun.com.
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1000671.1.
Article ID : 1000671.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2010-12-08
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

Java Plug-in and Java Web Start May Allow Applets and Applications to Run With Unpatched JRE



Category
Security

Release Phase
Resolved

Product
Java 2 Platform, Standard Edition

Bug Id
6281384

Date of Resolved Release
21-AUG-2006

Impact

The Java Plug-in and Java Web Start both allow applets and applications to specify the version of the Java Runtime Environment (JRE) to run with. However, the versions of Java Web Start and the Java Plug-in listed in Section 2 below may allow applets or applications to run with a specified version of the JRE that does not have the latest security fixes.


Contributing Factors

This issue can occur in the following releases (for Solaris, Linux and Windows platforms):

  • Java Plug-in included with J2SE 5.0 Update 5 and earlier, 1.4.x, 1.3.1, and 1.3.0_02 and later
  • Java Web Start included with J2SE 5.0 Update 5 and earlier, and 1.4.2
  • Java Web Start 1.2, 1.0.2, 1.0.1, and 1.0

To determine the default version of the JRE on a system for Solaris and Linux, the following command can be run:

    % java -version

Note: The above command only determines the default version. Other versions may also be installed on the system.

To determine the default version of the JRE on a system for Windows:

  1. Click "Start"
  2. Select "Run"
  3. Type "cmd" (starts a command-line)
  4. At the prompt, type "java -version"

Note: The above command only determines the default version. Other versions may also be installed on the system.


Symptoms

There are no reliable symptoms that would indicate that a specific release of the JRE is being used if that specified release of the JRE is already installed on the system and accessible by the Java Plug-in or Java Web Start. If the specified release of the JRE is not already installed, the end user may be prompted to download a JRE.


Workaround

To work around the described issue for the Java Plug-in on the Solaris and Linux platforms, use the latest JRE releases available from Sun and remove all symbolic links of earlier versions of Java Plug-in from the browser "plugins" directory.


Resolution

This issue is addressed in the following J2SE releases:

Java Plug-in:

  • Java Plug-in 5.0 Update 6 and later for Windows

Notes:

  1. Prior to 5.0 Update 6, an applet could specify the version of the JRE on which it would run. With 5.0 Update 6 and later installed on the Windows platform, all applets are executed with the latest version of the JRE.
  2. For Solaris and Linux, please see the "Relief/Workaround" section above.

 

Java Web Start:

  • Java Web Start 5.0 Update 6 and later for Windows, Solaris, and Linux

Note: Prior to 5.0 Update 6, an application could specify the version of the JRE on which it would run. With 5.0 Update 6 and later installed, unsigned Java Web Start applications that specify a version other than the latest installed will trigger a warning, requiring explicit user permission before the application will run. Signed Java Web Start applications are not affected.

J2SE 5.0 is available for download at the following links:

J2SE 5.0 for Solaris is available in the following patches:

  • J2SE 5.0: update 7 (as delivered in patch 118666-06)
  • J2SE 5.0: update 7 (as delivered in patch 118667-06 (64bit))
  • J2SE 5.0_x86: update 7 (as delivered in patch 118668-06)
  • J2SE 5.0_x86: update 7 (as delivered in patch 118669-06 (64bit))

Note: It is recommended that affected versions be removed from your system. For more information, see the installation notes on the respective java.sun.com download pages.



References

118666-06
118667-06
118668-06
118669-06

References

SUNPATCH:118666-06
SUNPATCH:118667-06
SUNPATCH:118668-06
SUNPATCH:118669-06



Attachments
This solution has no attachment