14 DAY TRIAL // Oracle has released critical updates for its Java SE and Java for Business technologies to address numerous remote code execution vulnerabilities and other security issues.
The vendor has provided JDK (Java Development Kit) and JRE (Java Runtime Environment) 6 Update 22 for Windows, Solaris, and Linux for both Java SE and Java for Business.
The updates fix a total number of 29 vulnerabilities in various Java components, of which 28 can be exploited remotely without the need of authentication.
In addition, 15 of them scored 10.0 (maximum) on the Common Vulnerability Scoring System (CVSS) v2 scale, because they have a low access complexity and result in complete compromise of confidentiality, integrity and availability.
This type of vulnerabilities are commonly exploited in drive-by download attacks to install malware on the computers of unsuspecting users.
Brian Krebs recently reported that statistics gathered from the control panels of various active Web exploit toolkits, reveal that Java exploits are the most successful ones.
This suggests that a lot of people fail to keep their Java installations up to date, and truth be told, the technology doesn't make it easy either.
The Java updater is set to fire up automatically once a month on a random day and at a random hour, probably determined based on the installation date and time.
To manually trigger an update check, people can search for jucheck.exe on their system drive and run it. Another way is to download the latest version and install it over the old one.
Unless you definitely know that you need the Java Runtime Environment (JRE), it might be better to completely remove it from the computer. It can be reinstalled later if required.
Also, if you only need it for desktop applications, like Open Office, you can at least disable the Web plug-in from your browser, in order to block this popular attack vector.
The latest version of Java SE JRE for Windows can be downloaded here.
The latest version of Java SE JRE for Linux can be downloaded here.