Bill Brenner of SearchSecurity.com writes: “Sun Microsystems recommends Java Web Start and Solaris users apply updates that plug security holes attackers could exploit to tamper with local files, gain elevated privileges or launch malicious code.

The Santa Clara, Calif.-based company said the problem with Java Web Start is that it “may allow an untrusted application the ability to elevate its privileges. As a result, an application may grant itself permissions to read and write local files or execute local applications that are accessible to the user running the Java Web Start application.”

This vulnerability affects Java Web Start in J2SE releases 1.4.2_06 and earlier for Windows, Solaris and Linux. Java Web Start in J2SE 5.0 and later and J2SE releases prior to 1.4.2 for Windows, Solaris and Linux are not affected. Java Web Start 1.0.1_02 and earlier are also not affected.”

Full article: Sun plugs Java Web Start, Solaris holes