Oracle releases fixes for 40 Java holes
Oracle has published its June Critical Patch Update for Java SE and, as expected, the update fixes 40 security holes, none of which require authentication and 37 of which are exploitable over the network. The company recommends users install the update as soon as possible.
Oracle's risk scoring gives 11 of the vulnerabilities a maximum score of 10.0 on the CVSS scale. The flaws affect all versions of Java including Java 7 Update 21 and earlier, Java 6 Update 45 and earlier and Java 5 update 45 and earlier, though some only affect one or another particular major version of Java. JavaFX 2.2.21 and earlier versions of JavaFX are also affected.
Only the current version of Java, Java SE 7, will be updated for free; downloads of the new version, Java SE 7 Update 25, are available and existing installs should auto-update. Mac OS X users will get an updated Java SE 6 for their systems as an automatic update; Java SE 7 on Mac OS X is updated by Oracle. Users of other older versions of Java will only get updates if they have a maintenance contract with Oracle.
As with previous updates, only four holes affect server installations of Java while nearly all affect Java client deployments. For example, eight of the top-scoring vulnerabilities are in the 2D graphics subsystem. A number also affect AWT and the Java Management Extensions (JMX). One bug only affects the production of documentation of Javadoc HTML pages when placed on a web server which allowed an attacker to insert frames; the company recommends that users of Javadoc regenerate their documentation. Of the few local holes discovered, one was in the installer, one in the networking subsystem and one in the 2D graphics subsystem.
This is the last Java update that will occur on the out of sync timetable that has been in play since the start of the year. The next update is scheduled to take place as part of Oracle's normal Critical Patch Update schedule in October this year (followed by January 2014, April 2014 and July 2014).