Java 6 Update 15 available
Sun has released JDK and JRE 6 Update 15 as well as JDK and JRE 5.0 Update 20 of its Java development and run time environment. With these versions, the developers fixed numerous bugs and resolved several security issues. One of the security problems gives untrusted applets access to a system, allowing attackers to gain control of a PC. Some of the holes are based on integer overflows when processing images and in connection with the Unpack200 JAR tool. Sun had to fix a similar flaw in the JAR tool in March 2009.
The vendor also included additional root certificates and extended the Java blacklist. The blacklist came into existence with Java 6 Update 14 and is designed to prevent Java plug-ins and Web Start from loading and executing vulnerable classes from signed JAR files. Users are, therefore, advised to update to the current version 6 (1.6 respectively) to take advantage of it. Since Java 6 Update 10, Java's installation routines for Windows have offered a patch-in-place configuration that can be used for overwriting older versions of Java. This is to prevent multiple installations in different folders on a system, which may cause security issues.
Mac OS X users will need to be patient and wait until Apple has strung together its own Java update. Three months ago, a Mac exploit caused commotion by targeting a Java vulnerability which, in the author's opinion, was ignored and left unpatched by Apple for several months.
- Changes in 1.6.0_15 (6u15)
- A Security Vulnerability in the Java Runtime Environment Audio System may Allow System Properties to be Accessed
- Security Vulnerabilities With the Proxy Mechanism Implementation in the Java Runtime Environment (JRE) may Lead to Escalation of Privileges
- Integer Overflow Vulnerability in the Java Runtime Environment When Parsing JPEG Images
- A Security Vulnerability With Verifying HMAC-based XML Digital Signatures in the XML Digital Signature Implementation Included With the Java Runtime Environment (JRE) may Allow Authentication to be Bypassed
- Integer Overflow Vulnerability in the Java Runtime Environment (JRE) "Unpack200" JAR Unpacking Utility May Lead to Escalation of Privileges