Java Update Fixes 17 Remote Execution Vulnerabilities

Oracle has closed 17 remote execution vulnerabilities in Java, most are in the runtime browser plug-ins

Oracle patched 17 security vulnerabilities and one non-security-related issue in its latest update to Java 6, released June 8. All 17 vulnerabilities would allow attackers to remotely execute code on the affected system without authentication, according to the company.

Nine of the flaws were rated at a risk of 10 out of 10 on Windows machines where the main account was the Administrator account, meaning attackers could theoretically take control of the machine. All but one of the vulnerabilities affected the Java Runtime Environment plug-in that runs in the Web browser.

“Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply [the] fixes as soon as possible,” Oracle said in a statement on its Website.

One Of The Top Three Targets

Java, Internet Explorer and Adobe Reader are the three most frequently attacked programs, and security experts say users run a serious risk of being compromised if they do not regularly update these programs.

“We have seen great success among attackers using flaws in Java to exploit Windows computers, but also a broader experimentation with building malware that will run on Mac and Linux,” Chester Wisniewski, senior security advisor at Sophos, wrote on the NakedSecurity blog. Last year’s Mac-based Koobface was an example of how malware developers could use Java to create cross-platform malware that targeted non-Windows machines.

Java 6 Update 26 (v 1.6.0.26) is available either through the Java updater or on the Website java.com and is available for the Windows, Linux and Solaris operating systems. The update will fix the issues in both the locally installed program as well as the browser plug-ins.

Mac users will have to wait for Apple to patch the issues, as Oracle currently does not provide Java for OS X. Apple patched Java in Leopard and Snow Leopard in March, a month after Oracle fixed the bugs. Starting with Mac OS X Lion, version 10.7, Java will no longer be part of the operating system and will be installed and patched through the Oracle site, Apple said in October.

Java is installed on over 850 million PCs worldwide, making it a major target for cyber-criminals. Java accounted for 17 percent of vulnerabilities affecting browser plug-ins in 2010, Symantec said in its annual Internet Security Threat Report released in April. Java malware generally relies on patched vulnerabilities as old versions of the software are commonplace. Despite its broadly installed base, not many users are actively using Java nowadays on their computers.

“Do you really need Java in your browser? Seriously, do you? If not, get rid of it,” F-Secure’s Mikko Hypponen wrote last May after encountering a malicious link being spammed on Twitter that relied on a Java applet to deliver its payload.

Make No Hasty Decisions

That does not mean users should just go ahead and uninstall the Java runtime environment immediately, though. Popular open-source office productivity suite OpenOffice.org requires Java to function properly, and there are number of VMware products that depend on Java.

Many banking Websites and photo sharing sites still use Java, as well, requiring users to have the Java plug-in installed. Some Websites also still rely on Java applets for data visualisations, as well. In general, a lot of companies still use Java internally for custom solutions, so users should go ahead and update the software instead of removing it altogether.

Wisniewski suggested testing systems without the Java plug-in to find out if it is necessary to have the software installed. Minimising the amount of software plugged into the browser “reduces the attack surface for exploits delivered over the Internet”, Wisniewski said.

“If you require Java, be sure that you deploy this update,” he added.