From the “Have you updated yet?” files:
Sun is out this week with a significant security update for Java SE 6. US-CERT warns that the Java vulnerabilities could potentially enable an attacker to execute arbitrary code or bypass authentication methods.
Technically speaking, the update is labeled update 15 (6u15) and is accompanied by no less than 7 separate Sun security alerts: 263408, 263409, 263428, 263429, 263488, 263489, and 264648.
Perhaps the most significant flaw patched by Sun in the Java update is detailed in alert 264648, which is directly related to the recent out-of-band updates from Microsoft
“A security vulnerability in the Active Template Library (ATL) in various releases of Microsoft Visual Studio that is used by the Java Web Start ActiveX control may allow the Java Web Start ActiveX control to be leveraged to execute arbitrary code,” Sun’s advisory states. “This may occur as the result of a user of the Java Runtime Environment viewing a specially crafted web page that exploits this vulnerability.”
It’s interesting to see how many third-party vendors were affected by the ATL issue. Adobe was also affected by the same issue.
Next page: The widespread ATL issue