June 29, 2007 7:24 AM PDT

Java Web Start security flaw patched

by Dawn Kawamoto

How about a security patch to take that bitter edge off your Java brew?

Sun Microsystems issued a security update on Thursday that is designed to patch vulnerabilities in its Java Web Start application, which allows software for the Java platform to be launched using a Web browser.

The security flaws, described as "highly critical," were found in Java Web Start versions JDK and JRE 5.0 Update 11 and earlier, as well as Java Web Start in SDK and, on Windows, version JRE 1.4.2_13 and earlier, according to a security advisory by Secunia.

Sun issued two security updates, one for Java Web Start in JDK and JRE 5.0 Update 12 or later, and the other for Java Web Start in SDK and JRE 1.4.2_14 or later.

Sun noted that the Java Web Start flaws could allow an untrusted application to gain permissions to overwrite any file written by the user running the application. This could include, for example, the user's .java.policy file, allowing the application to invoke applets or Java Web Start applications. These would then be used to execute arbitrary code with the permissions of the user running the untrusted application, according to Sun's security advisory.

Dawn Kawamoto covers enterprise security and financial news relating to technology for CNET News. E-mail Dawn.

Topics:: Security

Tags:: Sun Microsystems,; Java,; security patch

Share:: Digg; Del.icio.us; Reddit; Facebook

About News Blog

Recent posts on technology, trends, and more.

Add this feed to your online news reader

Inside CNET News

Scroll Left Scroll Right

Business Tech
Week in review: A speedier new Firefox
Mozilla's latest version plays catch-up with the browser competition. Also: the latest in Windows 7 news, and a Yahoo data center in a new shade of green.
Gallery
Photos: Soaring ambition for solar aircraft
Apple
Employee shot, wounded at Virginia Apple store
The victim, a 26-year-old woman, is in serious but stable condition with a wound to the shoulder. Some media outlets are reporting robbery as the motive, but police say it's too early to tell.
Beyond Binary
Windows 7 may get a 'Family Pack'
Enthusiasts have spotted wording in a leaked test build of the operating system that suggests Microsoft may offer a three-PC deal with the new Windows.
Video
Video: iPhone 3G S launch in New York City
Digital Media
Seattle fire knocks out service to Bing Travel, other sites
At least two dozen sites experience protracted outage following Thursday night electrical fire at Fisher Plaza data center. Verizon's Seattle-area DSL service also gets temporarily disrupted.
Video
A recipe for high-tech chocolate
Geek Gestalt
Blogging live from Spiral Jetty
Never say never, but this may be the first blog ever posted live from the monumental earthwork on the edge of the Great Salt Lake called Spiral Jetty.
The Space Shot
Lunar mapping satellite snaps first test images
NASA's Lunar Reconnaissance Orbiter has snapped its first test images, showing the moon's starkly cratered terrain in preparation for the start of mapping operations.
Gallery
Photos: Mars rover Spirit down but not out
Crave
iPhone 3GS jailbreak, 'purplera1n,' hits Web
Hacker who originally unlocked the iPhone has let loose a jailbreaking app for the iPhone 3GS ahead of the iPhone dev team. For now, it's Windows-only, but a Mac version is supposedly on the way.
The Car Tech blog
Fisker's good Karma
At a dinner speech recently, Henrik Fisker laid out his plans for Fisker Automotive and its first car, the plug-in hybrid Karma.