August 28, 2012
Oracle Java Runtime Environment (JRE) 1.7 contains a vulnerability that may allow an applet to call setSecurityManager in a way that allows setting of arbitrary permissions.
The Oracle Java Runtime Environment (JRE) 1.7 allows users to run Java applications in a browser or as standalone programs. Oracle has made the JRE available for multiple operating systems.
The Java JRE plug-in provides its own Security Manager. Typically, a web applet runs with a security manager provided by the browser or Java Web Start plugin. Oracle's document states, "If there is a security manager already installed, this method first calls the security manager's checkPermission method with aRuntimePermission("setSecurityManager")permission to ensure it's safe to replace the existing security manager. This may result in throwing a SecurityException".
More here: http://www.kb.cert.org/vuls/id/636312
Return to Pagoda Blog Main Page