Oracle patches critical Java security vulnerabilities
Oracle has released security updates to fix a number of critical vulnerabilities in the Java programming language on the company's scheduled June Critical Patch Update. The Java SE Critical Patch Update June 2011 advisory details a total of 17 vulnerabilities which affect the Java Development Kit (JDK) and the Java Runtime Environment (JRE) versions 6.0 (up to and including update 25), 5.0 (up to and including update 29) and 1.4.2 (up to and including version 1.4.2_31) on all supported platforms.
Oracle gives 9 of the 17 vulnerabilities a Common Vulnerability Scoring System (CVSS) score of 10.0, the highest possible level of severity. According to Oracle, all of these vulnerabilities can be remotely exploited without authentication. In some cases, there are multiple instances of each vulnerablity which can be exploited by untrusted Java Web Start applications or applets. The critical vulnerabilities were found in the 2D graphics, AWT, Deployment, Hotspot, Sound and Swing subsystems.
Oracle say the CVSS rating of 10.0 applies only on systems where the user has administrator privileges, as is typical on Windows; where the user does not have administrator privileges, as is typical on Linux or Solaris, the score falls to 7.5 for the vulnerabilities.
Due to the potential threat posed by a successful attack, Oracle advises users to update to JDK or JRE 6 Update 26 or install updates for older Java branches as soon as possible.