News

Java Update Plugs 17 Critical JDK and JRE Security Holes

• By John K. Waters
• June 9, 2011

Oracle released a security update this week that addresses 17 critical Java vulnerabilities affecting the Java Development Kit (JDK) and the Java Runtime Environment (JRE).

The cross-platform Critical Patch Update (CPU), known as Java 6 update 26, provides security patches for Java packages running in the Windows, Linux, and Solaris operating systems.

Oracle does not disclose detailed information about an exploit condition or results that can be used to conduct a successful exploit, the company says on its Web site. A call to the company headquarters confirmed that policy. The company has rated nine of these vulnerabilities a 10-out-10-level risk.

Oracle does explain that, of the 17 new security fixes contained in this CPU, 5 apply to client and server deployments of Java SE, 11 apply to client deployments of Java SE, and 1 applies to server deployments of Java SE. All of these vulnerabilities may be remotely exploitable without authentication, Oracle says. In other words, they may be exploited over a network without the need for a username and password.

A CPU is a collection of patches for "multiple security vulnerabilities," which Oracle issues on a more-or-less regular basis. (A CPU can also include non-security fixes.) Each update fixes only the vulnerabilities discovered since the last update; each update advisory describes only the fixes added since the last one. According to Oracle's published schedule, the next three updates are due on October 18, 2011; February 14, 2012, and June 12, 2012.

In its June CPU Advisory, Oracle warned, "Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible…." But the company also offers a workaround:

"Until you apply the CPU fixes, it may be possible to reduce the risk of successful attack by restricting network protocols required by an attack. For attacks that require certain privileges or access to certain packages, removing the privileges or the ability to access the packages from unprivileged users may help reduce the risk of successful attack. Both approaches may break application functionality, so Oracle strongly recommends that customers test changes on non-production systems. Neither approach should be considered a long-term solution as neither corrects the underlying problem."

An update for the Mac OS X was not part of this CPU, observed Sophos Senior Security Advisor Chester Wisnewski. "Unfortunately, Mac users will have to wait on Apple to release an update to address these flaws," he wrote in his "nakedsecurity" blog. 

Java 6 Update 26 for all three operating systems is available for download now.