In the security advisory issued on Tuesday, Oracle said that “due to the threat posed by a successful attack”, it “strongly recommended that customers apply CPU fixes as soon as possible.” All of the vulnerabilities affect the Java Runtime Environment. Six of the vulnerabilities received a risk score of 10, the highest that Oracle assigns.
Oracle acknowledge the assistance of the following researchers with the Java SE CPU: Adam Gowdiak of Security Explorations, Andrei Costin of Secunia, Chris Ries of TippingPoint, and Clayton Smith of Entrust.
On the same day, Apple issued a Java security update for Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion 10.7.4, and OS X Lion Server 10.7.4 that plugs the same Java holes as the Oracle update.
“Multiple vulnerabilities exist in Java, the most serious of which may allow an untrusted Java applet to execute arbitrary code outside the Java sandbox. Visiting a web page containing a maliciously crafted untrusted Java applet may lead to arbitrary code execution with the privileges of the current user. These issues are addressed by updating to Java version 1.6.0_33”, Apple explained in its advisory.