Java Web Start / Sun JRE Sandbox Security Bypass Vulnerability

If I'm reading that right, it was fixed in JRE 1.5 (or 5.0, their numbering confuses me) Update 2, which has been available many months now.

 

Good call Ron! I've alway's had suspicion's about unauthorized applet start's.

GF

 

I wonder why Sun keeps insisting pushing Java Web start with JRE, while I see no use for it and it has had it's load of vulnerabilities. The only way to remove the damn thing is by deleting the javaws folder.

 

THIS ISSUE WAS FIXED BUT IF YOU DISLIKE WEBSTART JUST>

To work around the described issue, disable Java Web Start applications from being launched from a web browser as follows:

For Internet Explorer:

Right click on the "Start" button and select "Explore"
In the "Start Menu" window, select "Tools" => "Folder Options"
From the "Folder Options" window, select the "File Types" tab
From the "Registered File Types" window, scroll down and locate the "JNLP - JNLP File"
Select the "JNLP - JNLP File" and click the "Delete" button
For Mozilla:

Select "Preferences" under the browser's "Edit" menu
In the "Preferences" window, select "Helper Applications" located under the "Navigator" category
Under "Files types", scroll down and locate "application/x-java-jnlp-file"
Select "application/x-java-jnlp-file" and click the "Remove" button
Notes:

1. On Microsoft Windows, applications may also be launched from the desktop icon or Start Menu if a shortcut was previously created for an application. Unknown applications should not be launched through the desktop icon or the Start Menu. Shortcuts can be removed by using the Java Web Start Application Manager through the "Application/Remove Shortcut" menu item.

 

Hi snowieone,

Thanks for this solution. It's much more elegant and scriptable than just deleting the entire javaws folder. I already discoverd how to remove the desktop icon using an installation script.

Now I still have to verify it doesn't recreate these keys after updating JRE.