Java Web Start may provide access to overwrite local files and pass control of the system to a remote attacker that has convinced a user to interact with a malicious Java application via the Internet. Arbitrary code execution is possible within the context of the local user.

Specifically, JRE 6.0 Update 1 and earlier is vulnerable on Windows platforms. This is an extension of the previously reported Java vulnerability to take into account the vulnerability of JRE 6

Description:

Information Security firm, eEye, reports that the vulnerabilities that were reported earlier this month that affected J2SE now extend to JRE 6.0 (which was specifically mentioned as not being vulnerable by Sun). These vulnerabilities can lead to situations where a remote attacker is able to take control of the victim's system in the context of the current victim's privilege level.

This only affects the Windows version of the platform

Mitigation:

Apply the updates for J2SE at the earliest opportunity

Updates:

http://java.sun.com/javase/downloads/index.jsp

Source:

http://www.eeye.com

Exploits:

Sun Alert ID: 102957