Oracle has released the June 2012 Java SE Critical Patch Update (CPU) to address a number of 14 vulnerabilities that affect some of the company’s products.
The security researchers who contributed to this latest patch are Andrei Costin, who reported his findings via Secunia, Chris Ries who notified Oracle via TippingPoint, Clayton Smith of Entrust, and Adam Gowdiak of Security Explorations.
Oracle doesn’t provide many details regarding the bugs, but Adam Gowdiak and his team have detailed some of their findings
on the company’s website.
Two of the most interesting weaknesses they have found refer to a complete compromise of the Java security sandbox and an issue with the JVM properties access and file read access.
“Malicious Java applet or application exploiting one of them could run unrestricted in the context of a target Java process such as a web browser application. An attacker could then install programs, view, change, or delete data with the privileges of a logged-on user,” reads the FAQ released by Security Explorations.
They also present an attack scenario where a cybercriminal sets up a website that hosts a malicious Java applet which exploits one of the security holes. By luring potential victims to this site via social engineering techniques, the attackers could push malware onto the affected systems.
The company plans on releasing the technical details of their findings on their website, or possibly at a security conference, just as they did with the digital satellite equipment vulnerabilities
they discovered not long ago.
All Java users are advised to apply the latest CPU to avoid any unfortunate situations. Until the CPU fixes are applied, customers can reduce the risks by restricting the network protocols utilized in a potential attack.