Five months ago, Sun published multiple security vulnerabilities in JRE (Java Runtime Environment) software included in Java SE 6 (Standard Edition) platforms.

The first security problem in JRE packet allows attacker to escape the Java sandbox module and run arbitrary commands. Result of this situation manifests when victim visit a web page hosting the program written in the Java programming language that can be included in an HTML page (applet). There is also one problem, authenticating users through Kerberos, that can lead to Denial of Service. Other security issues are connected to handling of temporary files, multiple buffer overflows, problems in UTF-8 decoder and processing RSA public keys. An attacker can use these vulnerabilities to escalate privileges on affected system. Presented vulnerabilities remain in Apple's shipping JVMs, as well as Soylatte 1.0.3., but recent release of OpenJDK6/Mac OS X is not affected. As protection, Mac OS X users should disable Java applets in their browsers and disable 'Open "safe" files after downloading' in Safari. Soylatte users should upgrade to an OpenJDK6-based release, where possible. There is one example of abusing of mention security risks. By visiting test web page, "/usr/bin/say" will be executed on system by a Java applet. It runs on fully-patched PowerPC and Intel Mac OS X systems. Original news can be found at Landon Fuller web site.