14 DAY TRIAL // Oracle has released its Java SE critical patch update (CPU) for June 2013. A total of 40 vulnerabilities have been fixed, including 37 that can be remotely exploited without authentication.
In addition, 4 out of the 40 security fixes are applicable to server deployments of Java.
Among those credited for contributing to making Java more secure, we find Adam Gowdiak of Security Explorations, Ben Murphy, Hasegawa Yosuke, James Forshaw of Context Information Security, Sam Thomas of Pentest Limited, Tim Brown and Tim Varkalis of Portcullis Computer Security, and Vitaliy Toropov.
The updates impact JDK and JRE 7 Update 21 and earlier, JDK and JRE 6 Update 45 and earlier, JDK and JRE 5.0 Update 45 and earlier, and JavaFX 2.2.21 and earlier.
According to Trend Micro experts, the patches address a vulnerability identified in the documentation generator tool known as Javadoc. The company says the vulnerability can be exploited to steal user data by injecting a frame in the generated Javadoc HTML page.
We’ve reached out to Security Explorations to find out which of the vulnerabilities that they’ve reported have been addressed.
Security Explorations CEO Adam Gowdiak says the June 2013 CPU addresses “issue 61,” which they reported to the Oracle back in April.
The security research firm has published the proof-of-concept code for “issue 61” on its website.
However, according to Gowdiak, something doesn’t seem to add up.
“Oracle's announcement does not give CVSS score of 10 to any bug that would affect server deployments as well. It looks like an intentional downplay of Java vulnerabilities impact, an attempt to convince the public that Java security problems are with the Plugin, rather than with a Java technology in general and Oracle's code development processes,” he said.
Oracle’s next Java SE CPU is scheduled for October 2013.