iDefense Security Advisory 03.25.09 – Remote exploitation of a heap corruption vulnerability in Sun Microsystems Inc.’s Java Web Start could allow an attacker to execute arbitrary code with privileges of the current user. When JWS starts up, it displays a splash screen. By default, the image displayed on this splash screen is a GIF file provided by Sun, but it is possible for a JNLP file to provide its own splash logo. This allows an attacker to pass an arbitrary GIF file to the splash logo parsing code to trigger the vulnerability. iDefense has confirmed the existence of this vulnerability in Java Web Start version 1.6_11 on Windows and Linux. Previous versions may also be affected.
You can download this advisory from the following link: https://packetstormsecurity.com/files/download/76130/03.25.09-2.txt
Source: https://packetstormsecurity.com/files/76130/iDEFENSE-Security-Advisory-2009-03-25.2.html