Three buffer overflow security vulnerabilities in Java Web Start may independently allow an untrusted Java Web Start application that is downloaded from a website to elevate its privileges. For example, an untrusted Java Web Start application may grant itself permissions to read and write local files or execute local applications that are accessible to the user running the untrusted application.

A vulnerability in Java Web Start may allow an untrusted Java Web Start application to elevate its privileges. For example, an application may grant itself permissions to read and write local files or execute local applications that are accessible to the user running the untrusted application.

A vulnerability in Java Web Start may allow an untrusted Java Web Start application to create files on the system that the untrusted application runs on and leverage these files to run local applications with the privileges of the user running the untrusted Java Web Start application.

Sun acknowledges with thanks, the following for bringing these issues to our attention:

An anonymous researcher working with the Zero Day Initiative (http://www.zerodayinitiative.com/) and TippingPoint (http://www.tippingpoint.com) for the first two issues.

John Heasman of NGSSoftware for the last two issues.