CVE-2009-1672

Name of the Vulnerable Software and Affected Versions: Sun Java SE Runtime Environment (JRE) 6 Update 13

Description: The issue allows remote attackers to execute arbitrary code via a .jnlp URL in the argument to the launch method. Additionally, it might allow remote attackers to launch JRE installation processes via the installLatestJRE or installJRE method.

Recommendations: For Sun Java SE Runtime Environment (JRE) 6 Update 13, consider disabling the deploytk.dll ActiveX control until a patch is available. Restrict access to the launch, installLatestJRE, and installJRE methods to minimize the risk of exploitation. Avoid using the .jnlp URL in the launch method argument until the issue is resolved.