Java Web Start is a technology for easy client-side deployment of Java
applications. "Using Java Web Start technology, standalone Java
software applications can be deployed with a single click over the
network" (from Sun Microsystems's website).
Java Web Start is installed with Java Runtime Environment (JRE). During
installation, file type associations are added to make web browsers
automatically (with a single click) open Java Web Start's .JNLP files
(the behavior may vary between different web browsers).
There is a vulnerability in the way Web Start handles Java system
properties defined in JNLP files. A malicious user can pass command
line arguments to the Java virtual machine. They can be used to disable
the Java "sandbox" and compromise the system. The attack can be carried
out when the victim user views a web page crafted by the attacker.
Java Web Start in J2SE 1.4.2 releases prior 1.4.2_07 are vulnerable.
J2SE 5.0 and later, and releases prior to 1.4.2 are NOT vulnerable.
The complete message can be found here:
1.4.2_07 is already in the tree.
Would the sun-jre also be affected ?
i think so, since the jre also provides javaws (the java webstart binary)