From; Panda Oxygen3: "Experience: that most brutal of teachers. But you learn, my God do you learn." C.S Lewis (1898-1963), British author. - Vulnerability in Java Web Start - Oxygen3 24h-365d, por Panda Software (http://www.pandasoftware.es) Madrid, March 24, 2005- Sun has reported a vulnerability in Java Web Start that could allow privilege elevation of a non-trusted application and indiscriminate permission to read, write and execute on the local system. Java Web Start is a platform that allows developers to deploy complete applications to final users accessible from any browser. By default Java applications run in a virtual environment, called "sandbox", to prevent security problems that indiscriminate access to system resources could imply. Read, write and command execution restrictions are imposed on a Java application to protect the system from possible attack. The vulnerability detected allows the files to be designed to prevent "sandbox" restrictions and take control of the system. The problem affects Java Web Start distributed with J2SE from versions 1.4.2 to 1.4.2_06, for Windows, Solaris and Linux platforms. To resolve the problem, users should update to J2SE version 1.4.07 or later, available from http://java.sun.com/j2se/1.4.2/download.html. As an additional preventive measure, until a vulnerable version is updated, we recommend disabling the execution of Java Web Start applications, removing support for JNLP files in browsers. NOTE: The addresses above may not show up on your screen as single lines. This would prevent you from using the links to access the web pages. If this happens, just use the 'cut' and 'paste' options to join the pieces of the URL. ------------------------------------------------------------ To contact with Panda Software, please visit: http://www.pandasoftware.com/about/contact/ ------------------------------------------------------------ *********** MIKE"S REPLY SEPARATOR *********** Mike ~ It is a good day if I learned something new. Editor MikesWhatsNews see a sample on my web page http://www3.telus.net/mikebike <mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe> http://www3.telus.net/mikebike/worm_removal.htm See my Anti-Virus pages http://virusinfo.hackfix.org/index <virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe> A Technical Support Alliance and OWTA Charter Member