Oracle has released update 26 for its Java SE 6 platform in order to address a number of seventeen remotely exploitable vulnerabilities, many of which could result in arbitrary code execution.
Of the included patches, eleven apply only to the Java SE client and one only to the server version. The rest affect both of the platform's flavors.
Nine vulnerabilities carry the maximum score of 10 on the CVSS scale. This means that they can be exploited remotely with ease and no authentication resulting in a complete confidentiality, integrity and availability compromise.
The scores were calculated under the presumption that users have administrative privileges, typically on Windows, and are capable of running Java applets or Java Web Start applications which is default behavior.
Three of the remaining vulnerabilities carry a CVSS base score of 7.6, four of 5.0 and one of 2.6. "Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU (Critical Patch Update) fixes as soon as possible
," the company writes in its advisory
Java vulnerabilities are commonly exploited in drive-by download attacks to infect users with malware. In fact, according to statistics grabbed from live web exploit kit installations, Java exploits are the most effective ones.
This suggests the presence of a large number of outdated Java installations on people's computers and the ineffective Java updater, which only kicks in once a month, is partially responsible for that.
Java is required for some popular desktop applications, like OpenOffice, to function properly, but it has mostly been surpassed by technologies like AJAX and HTML5 on the web.
Since the vast majority of attacks come from the web, where there isn't much Java content anymore, users should consider manually removing the Java browser plug-in. Please keep in mind, however, that each Java upgrade re-installs it.The latest version of Java SE JRE for Windows can be downloaded from here.
The latest version of Java SE JRE for Linux can be downloaded from here.