Product: Java Platform, Standard Edition (Java SE)
The Java Runtime Environment (JRE) "Java Update" mechanism does not check the digital signature of the JRE that it downloads. This may allow a malicious file to be downloaded and installed if the DNS information that the JRE uses when checking for updates is compromised.
Sun acknowledges with thanks, Francisco Amato for bringing this issue to our attention.
First released: 03-Dec-2008