Thread-topic: [SA26402] Sun JRE Font Parsing Vulnerability
>
> TITLE:
> Sun JRE Font Parsing Vulnerability
>
> SECUNIA ADVISORY ID:
> SA26402
>
> VERIFY ADVISORY:
> http://secunia.com/advisories/26402/
>
> CRITICAL:
> Highly critical
>
> IMPACT:
> System access
>
> WHERE:
> From remote
>
> SOFTWARE:
> Sun Java SDK 1.4.x
> http://secunia.com/product/1661/
> Sun Java JRE 1.5.x / 5.x
> http://secunia.com/product/4228/
> Sun Java JDK 1.5.x
> http://secunia.com/product/4621/
> Sun Java JRE 1.4.x
> http://secunia.com/product/784/
>
> DESCRIPTION:
> A vulnerability has been reported in Sun JRE, which can be exploited
> by malicious people to compromise a user's system.
>
> The vulnerability is caused due to an unspecified error in the
> parsing of fonts contained in Java applets. This can be exploited by
> malicious, untrusted applets to read and write local files, or to
> execute local applications.
>
> The vulnerability is reported in the following products:
> * JDK and JRE 5.0 Update 9 and earlier
> * SDK and JRE 1.4.2_14 and earlier
>
> SDK and JRE 1.3.1_xx are not affected by the vulnerability.
>
> SOLUTION:
> Update to the latest versions or apply patches:
>
> JDK and JRE 5.0 Update 10 or later
> http://java.sun.com/j2se/1.5.0/download.jsp
>
> SDK and JRE 1.4.2_15 or later
> http://java.sun.com/j2se/1.4.2/download.html
>
> The latest J2SE 5.0 Update Release for Solaris is also available in
> the following patches:
>
> * J2SE 5.0: update 12 (as delivered in patch 118666-12)
> * J2SE 5.0: update 12 (as delivered in patch 118667-12 (64bit))
> * J2SE 5.0_x86: update 12 (as delivered in patch 118668-12)
> * J2SE 5.0_x86: update 12 (as delivered in patch 118669-12 (64bit))
>
> PROVIDED AND/OR DISCOVERED BY:
> The vendor credits John Heasman of NGSSoftware.
>
> ORIGINAL ADVISORY:
> http://sunsolve.sun.com/search/document.do?assetkey=1-26-103024-1
>