Oracle patched 17 security vulnerabilities and one non-security-related issue in its latest update to Java 6, released June 8. All 17 vulnerabilities would allow attackers to remotely execute code on the affected system without authentication, according to the company.
Nine of the flaws were rated at a risk of 10 out of 10 on Windows machines where the main account was the Administrator account, meaning attackers could theoretically take control of the machine. All but one of the vulnerabilities affected the Java Runtime Environment plug-in that runs in the Web browser.
“Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply [the] fixes as soon as possible,” Oracle said in a statement on its Website.
Java, Internet Explorer and Adobe Reader are the three most frequently attacked programs, and security experts say users run a serious risk of being compromised if they do not regularly update these programs.
“We have seen great success among attackers using flaws in Java to exploit Windows computers, but also a broader experimentation with building malware that will run on Mac and Linux,” Chester Wisniewski, senior security advisor at Sophos, wrote on the NakedSecurity blog. Last year’s Mac-based Koobface was an example of how malware developers could use Java to create cross-platform malware that targeted non-Windows machines.
Java 6 Update 26 (v 1.6.0.26) is available either through the Java updater or on the Website java.com and is available for the Windows, Linux and Solaris operating systems. The update will fix the issues in both the locally installed program as well as the browser plug-ins.
Mac users will have to wait for Apple to patch the issues, as Oracle currently does not provide Java for OS X. Apple patched Java in Leopard and Snow Leopard in March, a month after Oracle fixed the bugs. Starting with Mac OS X Lion, version 10.7, Java will no longer be part of the operating system and will be installed and patched through the Oracle site, Apple said in October.
Java is installed on over 850 million PCs worldwide, making it a major target for cyber-criminals. Java accounted for 17 percent of vulnerabilities affecting browser plug-ins in 2010, Symantec said in its annual Internet Security Threat Report released in April. Java malware generally relies on patched vulnerabilities as old versions of the software are commonplace. Despite its broadly installed base, not many users are actively using Java nowadays on their computers.
“Do you really need Java in your browser? Seriously, do you? If not, get rid of it,” F-Secure’s Mikko Hypponen wrote last May after encountering a malicious link being spammed on Twitter that relied on a Java applet to deliver its payload.
That does not mean users should just go ahead and uninstall the Java runtime environment immediately, though. Popular open-source office productivity suite OpenOffice.org requires Java to function properly, and there are number of VMware products that depend on Java.
Many banking Websites and photo sharing sites still use Java, as well, requiring users to have the Java plug-in installed. Some Websites also still rely on Java applets for data visualisations, as well. In general, a lot of companies still use Java internally for custom solutions, so users should go ahead and update the software instead of removing it altogether.
Wisniewski suggested testing systems without the Java plug-in to find out if it is necessary to have the software installed. Minimising the amount of software plugged into the browser “reduces the attack surface for exploits delivered over the Internet”, Wisniewski said.
“If you require Java, be sure that you deploy this update,” he added.
CMA receives 'provisional recommendation' from independent inquiry that Apple,Google mobile ecosystem needs investigation
Government minister flatly rejects Elon Musk's “unsurprising” allegation that Australian government seeks control of Internet…
Northvolt files for Chapter 11 bankruptcy protection in the United States, and CEO and co-founder…
Targetting AWS, Microsoft? British competition regulator soon to announce “behavioural” remedies for cloud sector
Move to Elon Musk rival. Former senior executive at X joins Sam Altman's venture formerly…
Bitcoin price rises towards $100,000, amid investor optimism of friendlier US regulatory landscape under Donald…