J2SE Java Web Start Client-Side Argument Injection Vulnerability

Monday, 21 March 2005 by Michel Roth

A critical vulnerability was identified in Java Web Start, which may allow an untrusted application the ability to elevate its privileges. The flaw resides in the Java Web Start launcher ("javaws.exe" for Windows and "javaws" for Solaris and Linux) when handling a specially crafted "property" tag in a "JNLP" file, which may be exploited, via a specially crafted web page, to bypass the default "sandbox" security policy and read/write arbitrary files on a vulnerable system.

Affected Products
Java Web Start in Java 2 Platform Standard Edition (J2SE) version 1.4.2_06 and earlier 1.4.2 releases for Windows, Solaris and Linux.
Note: Java Web Start in J2SE 5.0 and later and J2SE releases prior to 1.4.2 for Windows, Solaris and Linux are NOT affected by this issue. Java Web Start 1.0.1_02 and earlier are also NOT affected.

Solution
Upgrade to J2SE 1.4.2_07
Upgrade to J2SE 5.0 Update 2

Or disable Java Web Start applications from being launched from a web browser.

J2SE Java Web Start is automaticly installed when you install XP1.0 or MPS 3.0, so be sure to check if you need to update!

More info here.