[virusinfo] Vulnerability in Java Web Start - 24/03/05

• From: "Mike" <mikebike@xxxxxxxxx>
• To: virusinfo@xxxxxxxxxxxxx
• Date: Fri, 25 Mar 2005 17:11:37 -0800

From; Panda Oxygen3:

"Experience: that most brutal of teachers.
                 But you learn, my God do you learn."
                C.S Lewis (1898-1963), British author.

                - Vulnerability in Java Web Start -
   Oxygen3 24h-365d, por Panda Software (http://www.pandasoftware.es)

Madrid, March 24, 2005- Sun has reported a vulnerability in Java Web Start
that could allow privilege elevation of a non-trusted application and
indiscriminate permission to read, write and execute on the local system.

Java Web Start is a platform that allows developers to deploy complete
applications to final users accessible from any browser.

By default Java applications run in a virtual environment, called
"sandbox", to prevent security problems that indiscriminate access to
system resources could imply.  Read, write and command execution
restrictions are imposed on a Java application to protect the system from
possible attack.

The vulnerability detected allows the files to be designed to prevent
"sandbox" restrictions and take control of the system.  The problem affects
Java Web Start distributed with J2SE from versions 1.4.2 to 1.4.2_06, for
Windows, Solaris and Linux platforms.

To resolve the problem, users should update to J2SE version 1.4.07 or
later, available from http://java.sun.com/j2se/1.4.2/download.html.  As an
additional preventive measure, until a vulnerable version is updated, we
recommend disabling the execution of Java Web Start applications, removing
support for JNLP files in browsers.

NOTE: The addresses above may not show up on your screen as single lines.
This would prevent you from using the links to access the web pages. If
this happens, just use the 'cut' and 'paste' options to join the pieces of
the URL.

------------------------------------------------------------
To contact with Panda Software, please visit:
http://www.pandasoftware.com/about/contact/
------------------------------------------------------------

*********** MIKE"S REPLY SEPARATOR  ***********
Mike ~ It is a good day if I learned something new.
Editor MikesWhatsNews see a sample on my web page
http://www3.telus.net/mikebike
<mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe>
http://www3.telus.net/mikebike/worm_removal.htm
See my Anti-Virus pages  http://virusinfo.hackfix.org/index
<virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe>
A Technical Support Alliance  and OWTA Charter Member 

Other related posts:

• » [virusinfo] Vulnerability in Java Web Start - 24/03/05

1. Home
2. virusinfo
3. Archive
4. 03-2005

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---