when i was searching for a new ver of KDE i found this @ KDE Security link
KDE Security Advisory: Konqueror Java Vulnerability
Original Release Date: 2004-12-20
1. Systems affected:
All versions of KDE up to KDE 3.3.1 inclusive. KDE 3.3.2 is not
Two flaws in the Konqueror webbrowser make it possible to by pass
the sandbox environment which is used to run Java-applets.
making it possible to escalate the privileges of the Java-applet.
The other problem is that Konqueror fails to correctly restrict
access to certain Java classes from the Java-applet itself.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CAN-2004-1145 to this issue.
When a user has Java enabled in Konqueror and visits a malicious
website, the website can run a Java-applet and obtain escalated
privileges allowing reading and writing of arbitrary files with
the privileges of the user.
Upgrade to KDE 3.3.2
A backport has been made available for older versions which fixes
this vulnerability. Contact your OS vendor / binary package provider
for information about how to obtain updated binary packages.
For KDE 3.2.3 a backport of the new Java handling is available from
6. Time line and credits:
contacted by heise Security
29/11/2004 Fixed in KDE CVS by Koos Vriezen
14/12/2004 Backport for KDE 3.2.3
20/12/2004 KDE Advisory released