Note: This is an archival copy of Security Sun Alert 238966 as previously published on http://sunsolve.sun.com.|
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1019374.1.
Date of Resolved Release
Security Vulnerability in JDK/JRE Secure Static Versioning
Secure Static Versioning was introduced in JDK and JRE 5.0 Update 6. With this feature, after the installation of a JRE 5.0 Update 6 or later release, applets are not allowed to run on an older release of the JRE. Due to a defect in the implementation, if an older release is subsequently installed, applets may run on that older release.
Sun acknowledges with thanks, John Heasman of NGSSoftware for bringing this issue to our attention.
2. Contributing Factors
This issue can occur in the following releases on Windows VISTA:
To determine the default version of the JRE that Internet Explorer uses:
To determine the default version of the JRE that Mozilla or Firefox browsers use,visit the URL "about:plugins".
The browser will display a page called "Installed plug-ins" which lists the version of the Java Plug-in as in the following example:
Java(TM) Plug-in 1.5.0_11-b03
The above example indicates the version of the JRE that the browser uses is 1.5.0_11.
There are no predictable symptoms that would indicate that the above issue has been exploited.
There is no workaround for this issue. Please see the Resolution section below.
This issue is addressed in the following releases on Windows VISTA:
JRE 6 updates are available through the Java Update tool for Microsoft Windows users.
JDK and JRE 5.0 Update 16 is available for download at the following link:
Note: It is recommended that the old affected versions be removed from your system. To remove old affected versions on the Windows platform, please see:
Sun Java Standard Edition (Java SE)
This solution has no attachment