Java Web Start may provide access to overwrite local files and pass control of the system to a remote attacker that has convinced a user to interact with a malicious Java application via the Internet. Arbitrary code execution is possible within the context of the local user.

Specifically, JDK, JRE 5.0 Update 11 and earlier, and SDK, JRE 1.4.2_13 and earlier are vulnerable on Windows platforms.

Description:

Late last week a set of vulnerabilities affecting Java Web Start in J2SE were disclosed and patched by Sun. These vulnerabilities can lead to situations where a remote attacker is able to take control of the victim's system in the context of the current victim's privilege level.

Of note, JDK and JRE 6, Solaris, and Linux versions of J2SE are not vulnerable to these issues.

Mitigation:

Apply the updates for J2SE at the earliest opportunity

Updates:

http://java.sun.com/j2se/1.5.0/download.jsp

Source:

http://sunsolve.sun.com/search/document.do?assetkey=1-26-102957-1

Exploits:

Sun Alert ID: 102957