Reported November 23, 2004, by iDEFENSE

VERSIONS AFFECTED

·         Java 2 Platform, Standard Edition (J2SE) 1.4.2_01 and 1.4.2_04 from Sun Microsystems

DESCRIPTION
A vulnerability exists in Sun Java 2 Platform, Standard Edition (J2SE) 1.4.2_01 and 1.4.2_04 that could result in the remote execution of arbitrary code on the vulnerable system. The problem exists within the access controls of the Java to JavaScript data exchange in Web browsers using Sun's Java Plug-in technology. This vulnerability lets JavaScript code load an unsafe class, which isn't normally possible from a Java applet.

VENDOR RESPONSE
Sun Microsystems has released J2SE 1.4.2_06 to address this vulnerability.

CREDIT
Discovered by iDEFENSE.