Thread-topic: [SA27320] Sun JRE Applet Handling Vulnerability
> ----------------------------------------------------------------------
>
> TITLE:
> Sun JRE Applet Handling Vulnerability
>
> SECUNIA ADVISORY ID:
> SA27320
>
> VERIFY ADVISORY:
> http://secunia.com/advisories/27320/
>
> CRITICAL:
> Highly critical
>
> IMPACT:
> System access
>
> WHERE:
> From remote
>
> SOFTWARE:
> Sun Java JRE 1.3.x
> http://secunia.com/product/87/
> Sun Java JRE 1.4.x
> http://secunia.com/product/784/
> Sun Java SDK 1.4.x
> http://secunia.com/product/1661/
> Sun Java SDK 1.3.x
> http://secunia.com/product/1660/
> Sun Java JRE 1.5.x / 5.x
> http://secunia.com/product/4228/
> Sun Java JDK 1.5.x
> http://secunia.com/product/4621/
> Sun Java JRE 1.6.x / 6.x
> http://secunia.com/product/12878/
> Sun Java JDK 1.6.x
> http://secunia.com/product/14273/
>
> DESCRIPTION:
> A vulnerability has been reported in Sun JRE, which can be exploited
> by malicious people to compromise a user's system.
>
> The vulnerability is caused due to an unspecified error within the
> handling of Java applets. This can be exploited by malicious,
> untrusted applets to read and write local files, or to execute local
> applications.
>
> The vulnerability is reported in the following products:
> * JDK and JRE 6 Update 2 and earlier
> * JDK and JRE 5.0 Update 12 and earlier
> * SDK and JRE 1.4.2_15 and earlier
> * SDK and JRE 1.3.1_20 and earlier
>
> SOLUTION:
> Update to the latest versions or apply patches:
>
> JDK and JRE 6 Update 3 or later
> http://java.sun.com/javase/downloads/index.jsp
>
> JDK and JRE 5.0 Update 13 or later:
> http://java.sun.com/javase/downloads/index_jdk5.jsp
>
> SDK and JRE 1.4.2_16 or later:
> http://java.sun.com/j2se/1.4.2/download.html
>
> SDK and JRE 1.3.1_21 or later (Windows and Solaris 8 only):
> http://java.sun.com/j2se/1.3/download.html
>
> JDK 6 Update 3 for Solaris is also available in the following
> patches:
>
> * Java SE 6 Update 3 (as delivered in patch 125136-04 or later)
> * Java SE 6 Update 3 (as delivered in patch 125137-04 or later
> (64bit))
> * Java SE 6_x86 Update 3 (as delivered in patch 125138-04 or later)
> * Java SE 6_x86 Update 3 (as delivered in patch 125139-04 or later
> (64bit))
>
> JDK 5.0 Update 13 for Solaris is also available in the following
> patches:
>
> * J2SE 5.0 Update 13 (as delivered in patch 118666-14)
> * J2SE 5.0 Update 13 (as delivered in patch 118667-14 (64bit))
> * J2SE 5.0_x86 Update 13 (as delivered in patch 118668-14)
> * J2SE 5.0_x86 Update 13 (as delivered in patch 118669-14 (64bit))
>
> The vendor notifies users that SDK and JRE 1.3.1 has completed the
> Sun End of Life (EOL) process and is only supported for customers
> with Solaris 8 and Vintage Support Offering support contracts. The
> vendor recommends that users upgrade to the latest releases.
>
> PROVIDED AND/OR DISCOVERED BY:
> The vendor credits Azul Systems.
>
> ORIGINAL ADVISORY:
> http://sunsolve.sun.com/search/document.do?assetkey=1-26-103112-1
>