Java users (and yes that’s likely you) it’s time to update.
Oracle has released the February Critical Patch Update (CPU) for Java, fixing at least 21 vulnerabilities. The CPU is accompanied with Java Runtime Environment 6 update 24 for the client side issues.
Of particular note is the fact that nearly all of the vulnerabilities can be remotely exploited by an attacker.
According to Oracle, 19 of the Java flaws can be remotely exploited over a network without the need for a username and password. Going a level deeper, eight issues carry the highest rating of 10.0 on the Common Vulnerability Scoring System (CVSS).
Trust is a big part of running any type of Java application and the exploitation of untrusted Java apps on the client side accounts for more than half the total number of fixed vulnerabilities. According to Eric Maurice, manager for security in Oracle’s global technology business unit, 12 vulnerabilities can be exploited through untrusted Java Web Start applications and untrusted Java Applets, which run in the Java sandbox with limited privileges.
Server side trust is also an issue with three patched vulnerabilities specifically targeting server deployments of Java. One of the fixed issued deals with a binary floating-point number flaw which Oracle warned about earlier this month. Oracle had previously made a Java SE Floating Point updater tool available to help users mitigate risk.
The new Java update should not be ignored by end-users or enterprises.
According to a recent report from networking vendor Cisco, Java attacks rose during 2010 to become the most exploited client-side technology. Java was 3.5 times more exploited than Adobe PDFs, according to Cisco’s data. The shift to Java exploitation was blamed on poor updating by Java users to the latest patched versions of Java. Cisco pointed some of the blame on poor Java patching at Oracle for not having as finely honed a Java patching process as they could have.
Oracle updates Java with CPUs four times a year. The next update is currently scheduled for June 7, 2011.
Keep up with security news; Follow eSecurityPlanet on Twitter: @eSecurityP.