Java SE updates fix critical security holes
Oracle has fixed 14 security holes in the Java Standard Edition (Java SE) with a critical patch update. The vulnerabilities allow attackers to use specially crafted Java WebStart applications or web services in order to install malicious code on computers that run flawed versions of Java. Oracle says that such flawed versions are particularly likely to exist on Windows computers because Windows users tend to have admin privileges. The risk is smaller under operating systems such as Linux and Solaris, the company added.
The holes, five of which are rated as maximum risk vulnerabilities, affect the JDK (Java Development Kit) and JRE (Java Runtime Environment) 7 Update 2, JDK and JRE 6 Update 30, JDK and JRE 5.0 Update 33, and SDK and JRE 1.4.2:35, and earlier releases of each. Versions older than JavaFX 2.0.2 are also affected.
Oracle has closed the holes in Java SE 7 Update 3, Java SE 6 Update 31 and JavaFX 2.0.3. The updates are available for Windows, Linux and Solaris. Under Windows, the updates will be installed automatically via auto-update. Otherwise, the patches can be downloaded from the Java download page and installed manually. Oracle recommends that flawed versions be replaced as soon as possible.
- Oracle Java Critical Patch Update Advisory - February 2012, the Oracle advisory.