Softpedia
 
HomepageWindowsGamesDriversMacLinuxScripts buttonMobileHandheldNews

NEWS CATEGORIES:



NEWS ARCHIVE >>
SOFTPEDIA REVIEWS >>
MEET THE EDITORS >>
TRENDING TODAY
Home > News > Security

February 17th, 2011, 14:57 GMT · By

Java Security Update Fixes Critical Vulnerabilities

SHARE:

Adjust text size:

Java JRE 6 Update 24 released as a security update
Enlarge picture
Oracle has released security updates for Java SE and Java for Business to address multiple vulnerabilities, some of which allow attackers to take control over computers.

The update addresses a total of 21 vulnerabilities in JDK and JRE 6 Update 23 and earlier, JDK 5.0 Update 27 and earlier, and SDK 1.4.2_29 and earlier.

Nineteen of the flaws can be exploited remotely without any need for authentication and can affect the confidentiality, integrity and availability of data to various degrees.

Eight vulnerabilities carry the highest possible CVSS base score of 10.0, which means they have a critical impact and can be exploited to execute arbitrary code .

The impact is higher on Windows than on Linux or Solaris, because by default Java runs with administrative privileges on the former. Vulnerabilities normally rated with 10.0, have a 7.5 score if Java runs under a non-admin user.

By exploiting lower impact flaws that don't allow for arbitrary code execution, attackers can still access sensitive information, bypass restrictions or trigger denial of service conditions.

The vulnerabilities are caused by errors in a wide array of components, including Deployment, Sound, Swing, HotSpot, Install, JAXP, 2D, JDBC, Launcher, Networking, XML Digital Signature, and Security.

Researchers credited with discovering and reporting them to Oracle include Afik Castiel (Versafe Anti Fraud), Billy Rios (Google), binaryproof via Tipping Point ZDI and iDefense, Dmitri Gribenko, Eduardo Vela Nava (Google), Frederic Hoguin via Tipping Point ZDI, Marc Schoenefeld (Red Hat), Peter Csepely via Tipping Point ZDI, Roee Hay (IBM Rational Application Security Research Group), Sami Koivu via Tipping Point ZDI, Stefano Di Paola (Minded Security), and Tom Hawtin.

Users are urged to update to Java Runtime Environment 6 update 24 immediately, especially since Java is currently the most targeted application in drive-by download attacks.

The latest version of Java SE JRE for Windows can be downloaded from here.

The latest version of Java SE JRE for Linux can be downloaded from here.


2,087 hits
Link to this article · Print article · Send to friend

MUST-READ RELATED ARTICLES:


Oracle Releases Fix for Dangerous Java Denial of Service Bug
Microsoft Warns of Spike in Java Exploitation Attempts
Exploit Toolkit Infects One in Ten Users via Outdated Java
Critical Patches Available for Java

READER COMMENTS:



No user comments yet.
Be the first to express your opinion!
Copyright © 2001-2013 Softpedia. Contact/Tip us at

WindowsGamesDriversMacLinuxScriptsMobileHandheldNews

SUBMIT PROGRAM   |   ADVERTISE   |   GET HELP   |   SEND US FEEDBACK   |   RSS FEEDS   |   UPDATE YOUR SOFTWARE   |   ROMANIAN FORUM
© 2001 - 2013 Softpedia. All rights reserved.
Softpedia® and the Softpedia® logo are
registered trademarks of SoftNews NET SRL.		 Copyright Information | Privacy Policy | Terms of Use