Description
The Aqua Look and Feel for Java implementation in Java 1.5 on Mac OS X 10.5 allows remote attackers to execute arbitrary code via a call to the undocumented apple.laf.CColourUIResource constructor with a crafted value in the first argument, which is dereferenced as a pointer.
References (7)
Core 7
Core References
Patch, Vendor Advisory vendor-advisory
x_refsource_apple
http://lists.apple.com/archives/security-announce/2009/Jun/msg00003.html
Patch vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/35401
Third Party Advisory x_refsource_misc
http://www.zerodayinitiative.com/advisories/ZDI-09-043
Third Party Advisory, VDB Entry mailing-list
x_refsource_bugtraq
http://www.securityfocus.com/archive/1/504364/100/0/threaded
Patch vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/35381
Patch, Vendor Advisory x_refsource_confirm
http://support.apple.com/kb/HT3632
Third Party Advisory, VDB Entry vdb-entry
x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/51185
Scores
EPSS
0.0387
EPSS Percentile
88.4%
Details
CWE
CWE-94
Status
published
Products (2)
sun/jre
1.5.0 (18 CPE variants)
sun/jre
1.5.0_11-b03
Published
Jun 16, 2009
Tracked Since
Feb 18, 2026