It’s time to update your Java installation.
This week Oracle released a Critical Patch Update (CPU) for Java, fixing 17 security flaws in Java SE.
According to Oracle’s advisory, only five of the flaws apply to both client and server deployments of Java SE. Client deployments of Java SE are tagged for 11 flaws while only one flaw applies just to Java SE server deployments.
“All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password,” Oracle warned.
Oracle has also ranked the Java vulnerabilities on the Common Vulnerabilities Scoring System (CVSS) which assesses the relative impact and risk of a security flaw. Nine of the Java flaws have a CVSS base score of 10.0, which is the highest possible rating for severity.
HP’s TippingPoint Zero Day Initiative (ZDI) is credited by Oracle for reporting a number of the flaws. ZDI pays security researchers for their discoveries and then keeps the details under wraps until the vendor releases a patch. One of the ZDI reported flaws is titled, ” Java Web Start Command Argument Injection Remote Code Execution Vulnerability.”
“The specific flaw exists within the way Java webstart parses certain properties from the jnlp file,” ZDI stated in its advisory. “Due to insufficient quote escaping it is possible to supply additional command line parameters to the java process. By crafting such parameters, an attacker can execute remote code under the context of the user running the process.”
ZDI also reported a Java IE Browser Plugin flaw that Oracle has now patched.
“The specific flaw exists within the JP2IEXP.dll browser plugin,” ZDI warned in its advisory. The module creates a window hook when an applet is instantiated within the context of a browser. If the underlying DOM element is cloned and the parent object removed, a dangling reference can exist.”
That dangling reference can then potentially be exploited by an attacker to run Java code inside of a user’s web browser.
Java has been identified by multiple vendors as being among the most vulnerable browser plugins. Earlier this year Cisco identified Java exploits as being on the rise in 2010.
Security vendor Qualys reported that Java is the most at-risk browser plugin, mostly due to the fact that it is not updated properly by users.
The latest Java update can now be downloaded from Oracle’s Java.com website for Windows users.