Popular @ dzone.com: fresh links for developers

Submit a story   Vote on new stories
Forum Controls
Whos Online: 159 guest(s), 0 user(s). More info »
Spotlight Features

The Rich Engineering Heritage Behind Dependency Injection

Andrew McVeigh takes us on a tour of the rich heritage behind dependency injection, what it represents, and tells us why its here to stay.

NetBeans 6: Matisse Updates

NetBeans 6 delivers great updates to the Matisse GUI builder. Spend a few minutes with Roman Strobl and get an expert briefing on what's new and what has changed.

Introduction to Groovy Part 3

In this, the third and final installation of Andres' Introduction to Groovy series, you learn about how Groovy handles variable numbers of arguments, named parameters, currying, and more about Groovy operators. Including, some new operators.

Easier Custom Components with Swing Fuse

Swing Fuse (actually just Fuse), is a framework designed to make it easier to create your own custom desktop components. In this article, Daniel Spiewak shows you how to get started and provides sample source code you can download.

Benchmark Analysis: Guice vs Spring

Willam Louth shows how he uses JXInsight Probes to investigate probable performance issues with code bases that he is not familiar with. He also highlights possible pitfalls in creating a benchmark, as well as in the analysis of results.
Read the Spotlight Archives
Replies: 2 - Pages: 1  
Threads: [ Previous | Next ]
  Click to reply to this thread Reply

Critical Security Hole in some Java Web Start Versions for Windows

URL: Sun

At 10:34 AM on Jul 2, 2007, Michael Urban wrote:

A vulnerability in Java Web Start may allow an untrusted application to grant itself permissions to overwrite any file that is writable by the user running the application. This would include the user's .java.policy file which would allow the application to invoke applets or Java Web Start applications that can execute arbitrary code with the permissions of the user running the untrusted application.

Java 6 is not affected by this issue, and neither are the Solaris or Linux versions of Java.

The affected versions are:

  • Java 5.0 Update 11 and earlier
  • Java 1.4.2_13 and earlier

Updating to later versions resolves the problem.

The original security announcement can be found here

2 replies so far ( Post your own)

1 . At 9:38 PM on Jul 2, 2007, Walter Bogaardt wrote:
  Click to reply to this thread Reply

Probably not as big a problem as one thinks.

This might not be as big of an issue. Seeing as how many hackers would try to implement a breach to this security hole in a java webstart application deployment. Seeing as most would rather spend their time subverting a mass deployment such as microsoft's IE browser holes. Webstart has grown some but does not prevail on all user computers.
2 . At 7:12 PM on Jul 18, 2007, Werner Keil wrote:
  Click to reply to this thread Reply

Re: Probably not as big a problem as one thinks.

It should be fixed, but the bigger security hole is still Windows itself than Java WebStart.
Replies: 2 - Pages: 1   Threads: [ Previous | Next ]

thread.rss_message