Oracle has closed 17 remote execution vulnerabilities in Java, most of which are also present in the browser plug-ins.
at least 17 security vulnerabilities in Java as part of its scheduled update.
17 security vulnerabilities and one non-security-related issue in its latest
update to Java 6, released June 8. All 17 vulnerabilities would allow attackers
to remotely execute code on the affected system without authentication,
according to the company.
Nine of the
flaws were rated at a risk of 10 out of 10 on Windows machines where the main
account was the Administrator account, meaning attackers could theoretically
take control of the machine. All but one of the vulnerabilities affected the
Java Runtime Environment plug-in that runs in the Web browser.
the threat posed by a successful attack, Oracle strongly recommends that
customers apply [the] fixes as soon as possible," Oracle said in a statement
on its Website.
Explorer and Adobe Reader are the three most frequently attacked programs, and
security experts say users run a serious risk of being compromised if they
don't regularly update these programs.
"We have seen great success among attackers using flaws in
Java to exploit Windows computers, but also a broader experimentation with
building malware that will run on Mac and Linux," Chester Wisniewski, senior
security advisor at Sophos, wrote on the NakedSecurity
. Last year's Mac-based Koobface was an example of how malware
developers could use Java
to create cross-platform malware
that targeted non-Windows machines.
Java 6 Update
26 (v 220.127.116.11) is available either through the Java updater or on the Website
java.com and is available for the Windows, Linux and Solaris operating systems.
The update will fix the issues in both the locally installed program as well as
the browser plug-ins.
Mac users will
have to wait for Apple to patch the issues, as Oracle currently does not
provide Java for OS X. Apple
in Leopard and Snow Leopard in March, a month after Oracle
fixed the bugs. Starting with Mac OS X Lion, version 10.7, Java will no longer
be part of the operating system and will be installed and patched through the
Oracle site, Apple said in October.
installed on over 850 million PCs worldwide, making it a major target for
cyber-criminals. Java accounted for 17 percent of vulnerabilities affecting
browser plug-ins in 2010, Symantec said in its annual Internet
Security Threat Report
released in April. Java malware generally relies on
patched vulnerabilities as old versions of the software are commonplace.
Despite its broadly installed base, not many users are actively using Java
nowadays on their computers.
"Do you really
need Java in your browser? Seriously, do you? If not, get rid of it," F-Secure's Mikko
wrote last May after encountering a malicious link being spammed
on Twitter that relied on a Java applet to deliver its payload.
mean users should just go ahead and uninstall the Java runtime environment immediately,
though. Popular open-source office productivity suite OpenOffice.org requires
Java to function properly, and there are number of VMware products that depend
Websites and photo sharing sites still use Java, as well, requiring users to
have the Java plug-in installed. Some Websites also still rely on Java applets
for data visualizations, as well. In general, a lot of companies still use Java
internally for custom solutions, so users should go ahead and update the
software instead of removing it altogether.
suggested testing systems without the Java plug-in to find out if it's
necessary to have the software installed. Minimizing the amount of software
plugged into the browser "reduces the attack surface for exploits delivered
over the Internet," Wisniewski said. "If you require Java, be sure that you
deploy this update," Wisniewski added.