If Microsoft followed Sun Microsystem's policy of providing the details of vulnerabilities fixed at the time of the NEXT or subsequent update, the public and the press would be screaming so loud the walls would reverberate in Redmond. This is just plain irresponsible on the part of Sun Microsystems!
It is also next to impossible to find what has been fixed at the Sun website. I located the details at Heise Security:
"Among other things, two buffer overflows have been resolved in the Java Runtime Environment (JRE) that allowed system resources to be accessed by non-trusted applets, which could then read, write, and execute arbitrary files with the user's rights. Two additional flaws in the serialization of JRE also allowed an applet to gain more rights. Finally, two weak points allow one applet to access the data of another applet. The flaws are found in the DK and JRE versions up to 1.4.2_12, with some even in 1.3.1_18. Updates (1.4.2_13 and 1.3.1_19) have also been made available for these flaws."
"Also see:It is very important to uninstall prior versions of Sun Java when updating. Please see the illustrated instructions here for updating Sun Java.
- Security Vulnerabilities Related to Serialization in the Java Runtime Environment may Allow Untrusted Applets to Elevate Privileges, Sun security advisory
- Security Vulnerabilities in the Java Runtime Environment may Allow an Untrusted Applet to Access Data in Other Applets, Sun security advisory
- Security Vulnerabilities in the Java Runtime Environment may Allow Untrusted Applets to Elevate Privileges and Execute Arbitrary Code, Sun security advisory"