Oracle Java SE and Java for Business are development platforms for developing and deploying Java applications. They include the Java SE Development Kit (JDK) and the Java Runtime Environment (JRE). The JRE provides the minimum requirements for executing a Java application (e.g., an applet) and consists of the Java Virtual Machine (JVM), core classes and supporting files. One of the libraries included in the JVM is the Color Management Module (CMM), which controls the conversion among the color representations used by various devices by processing International Color Consortium (ICC) profiles.
Oracle Java SE and Java for Business 6 Update 18 and prior, and 5.0 Update 23 and prior are vulnerable to a buffer overflow in the CMM
readMabCurveData function. A remote attacker could gain system access if a user opens a Java applet that imports a malicious ICC profile that specifies an invalid count for
curveType objects passed to the
Apply the patches detailed in the Oracle Java SE and Java for Business Critical Patch Update Advisory for March 2010.
Exploit works on Oracle Java SE and Java for Business containing Oracle JRE 6 Update 18.
The user must open the exploit in Internet Explorer 6, 7, or 8 or Mozilla Firefox 2.x or 3.x.