The best workaround for this serious flaw, until Sun issues its patch is to not use Java, or Disable javaws/javaws.exe and disable Deployment Toolkit.
A vulnerability has been discovered in Sun Java, which can be exploited by malicious people to compromise a user's system.
The vulnerability is caused due to an input sanitation error in the Java Deployment Toolkit browser plugin. This can be exploited to pass arbitrary arguments to javaw.exe and e.g. execute a JAR file placed on a network share in a privileged context.
Successful exploitation allows execution of arbitrary code by tricking a user into visiting a malicious web page.
The vulnerability is confirmed in JRE version 6 Update 19. Other versions may also be affected.
Logos, you haven't disabled Java? I immediately disabled the plugins in each browser and blocked Java from running with CIS D+.
no I haven't... I'm not that worried...There aren't that many sites running Java and I'm usually warned when one wants to use it...in Firefox at least. I don't use Internet Explorer.
edit: not sure yet, I might still block it ;)
warning: I just found that update 19 plugins were still present in all browsers after the update to "20" >>> way out: remove Java completely and reinstall from scratch with the download (yeah, that's the opposite of what I said before).
JavaRa is a simple tool that does a simple job: it removes old and redundant versions of the Java Runtime Environment (JRE). Simply select "Check for Updates" or "Remove Older Version" to begin. JavaRa is free under the GNU GPL version two.http://raproducts.org/javara.html
@ Chris Thomas:
edit: may be you actually already uninstalled the old version (s) and install the new one. Then the alert just comes from the fact that you didn't manually delete the old java deployment files in as said Firefox plugins folder.
So I don't know why this is happening to you
a. I never do an on-line install of JAVA, I always download the off-line installation file.
b. You don't have to uninstall the old version of JAVA, from some time ago the JAVA update removed the old version.
a. I also use the downloaded installer, as i blocked all java updates at first.Check the version number of your Java Deployment Toolkit plugin for Firefox, which should be 6.0.200.2.
b. True, but somehow seems not to work with the 6.20 update...
maybe because it's an out of order quick-fix..??