Peter Csepely

**Name of the Vulnerable Software and Affected Versions** Sun Java SE versions prior to JDK and JRE 6 Update 17 **Description** The issue concerns the Java Web Start Installer in Sun Java SE, which does not properly utilize security model permissions when removing installer extensions. This allows remote attackers to execute arbitrary code by modifying a certain JNLP file to have a URL field that points to an unintended trusted application. **Recommendations** For versions prior to JDK and JRE 6 Update 17, update to JDK and JRE 6 Update 17 or later to resolve the issue.

Name of the Vulnerable Software and Affected Versions: JDK and JRE 6 versions 6.0 through 6.0 Update 6 JDK and JRE 5.0 versions 5.0 through 5.0 Update 15 SDK and JRE 1.4.x versions 1.4.0 through 1.4.2 17 Description: The issue allows remote attackers to create arbitrary files. This can be achieved via the `writeManifest` method in the `CacheEntry` class or through an untrusted application. Recommendations: For JDK and JRE 6 versions 6.0 through 6.0 Update 6, update to JDK and JRE 6 Update 7 or later. For JDK and JRE 5.0 versions 5.0 through 5.0 Update 15, update to JDK and JRE 5.0 Update 16 or later. For SDK and JRE 1.4.x versions 1.4.0 through 1.4.2 17, update to SDK and JRE 1.4.2 18 or later.

Name of the Vulnerable Software and Affected Versions: Java Web Start in Sun JDK and JRE versions 6 Update 2 and earlier Java Web Start in Sun JDK and JRE versions 5.0 Update 12 and earlier Java Web Start in Sun SDK and JRE versions 1.4.2 15 and earlier Description: The issue allows user-assisted remote attackers to obtain sensitive information, specifically the Java Web Start cache location, via an untrusted application. This is due to the failure of Java Web Start to properly enforce access restrictions for untrusted applications. Recommendations: For Java Web Start in Sun JDK and JRE versions 6 Update 2 and earlier, update to a version later than 6 Update 2. For Java Web Start in Sun JDK and JRE versions 5.0 Update 12 and earlier, update to a version later than 5.0 Update 12. For Java Web Start in Sun SDK and JRE versions 1.4.2 15 and earlier, update to a version later than 1.4.2 15.