Oracle is out this week with Java 6 Update 20, fixing two critical vulnerabilities that could have left users' systems at risk of being exploited by attackers. The flaws affect Java users on Windows, Linux and Solaris platforms.
Users on Microsoft Windows, however, may be more at risk; for them, Oracle has rated the flaw a 10 on the Common Vulnerability Scoring System (CVSS) system. In contrast, the CVSS score is rated as only a 7.5 on Linux and Solaris. The difference in potential severity stems from the fact that many Windows users run their system with full administrative privileges, which is less common on Linux and Solaris, Oracle said.
Eric Maurice, manager for security in Oracle's global technology business unit, wrote in a blog post that the vulnerabilities, which occur specifically in the Java Deployment Toolkit and the Java Plug-in found in recent releases of Java, do not affect Java when running on a server or a standalone desktop application. Rather, the flaws only affect Java when running on a 32-bit Web browser.
"Both vulnerabilities may allow an attacker to run commands on the user's system with the privileges of the user, whose system may have become compromised by visiting a malicious Web site," Maurice said.
Oracle is rushing out the patch just days after its regular quarterly Critical Patch Update (CPU). The urgency of the Java patch update is due to the flaw being reported on a security mailing list, which put Java users at risk from an attacker using the newly public information.
On the mailing list, security researcher Tavis Ormandy warned that Java did not perform proper validation of the URL parameter as part of the Java Network Launch Protocol (JNLP), which enables Java to launch other protocols and applications. As a result, Ormandy warned that arbitrary parameters could be passed through that could lead to exploitation.
"The simplicity with which this error can be discovered has convinced me that releasing this document is in the best interest of everyone except the vendor," Ormandy wrote.
That unveiling of the flaw led Oracle to spring into action, the company said.
"Because of the criticality of these vulnerabilities, and the publicity they received as a result of their disclosure before the availability of a fix, Oracle recommends that all customers and Java users update their Java installation to the most recent version (6 update 20)," Maurice wrote.
According to Oracle's release notes, the Java SE 6 update 20 release addresses the flaw by ensuring that a JNLP file without a codebase parameter will no longer work.
"This means that developers must specify the codebase parameter in a JNLP file," the advisory said.