14 DAY TRIAL // Oracle has released security updates for Java SE and Java for Business to address multiple vulnerabilities, some of which allow attackers to take control over computers.
The update addresses a total of 21 vulnerabilities in JDK and JRE 6 Update 23 and earlier, JDK 5.0 Update 27 and earlier, and SDK 1.4.2_29 and earlier.
Nineteen of the flaws can be exploited remotely without any need for authentication and can affect the confidentiality, integrity and availability of data to various degrees.
Eight vulnerabilities carry the highest possible CVSS base score of 10.0, which means they have a critical impact and can be exploited to execute arbitrary code .
The impact is higher on Windows than on Linux or Solaris, because by default Java runs with administrative privileges on the former. Vulnerabilities normally rated with 10.0, have a 7.5 score if Java runs under a non-admin user.
By exploiting lower impact flaws that don't allow for arbitrary code execution, attackers can still access sensitive information, bypass restrictions or trigger denial of service conditions.
The vulnerabilities are caused by errors in a wide array of components, including Deployment, Sound, Swing, HotSpot, Install, JAXP, 2D, JDBC, Launcher, Networking, XML Digital Signature, and Security.
Researchers credited with discovering and reporting them to Oracle include Afik Castiel (Versafe Anti Fraud), Billy Rios (Google), binaryproof via Tipping Point ZDI and iDefense, Dmitri Gribenko, Eduardo Vela Nava (Google), Frederic Hoguin via Tipping Point ZDI, Marc Schoenefeld (Red Hat), Peter Csepely via Tipping Point ZDI, Roee Hay (IBM Rational Application Security Research Group), Sami Koivu via Tipping Point ZDI, Stefano Di Paola (Minded Security), and Tom Hawtin.
Users are urged to update to Java Runtime Environment 6 update 24 immediately, especially since Java is currently the most targeted application in drive-by download attacks.
The latest version of Java SE JRE for Windows can be downloaded from here.
The latest version of Java SE JRE for Linux can be downloaded from here.