The CPU affects JDK and JRE versions 5, 6 and 7. The vulnerabilities addressed allow an attacker to use a variety of drive-by techniques to let a Java applet run arbitrary code outside of the Java sandbox—paving the way for remote control of systems.
Thirty-four of the fixes address vulnerabilities that only affect client deployments. Four of them can affect client and server deployments. And one of the vulnerabilities affects the Java installer and can only be exploited locally.
The last vulnerability was called out in detail by Oracle’s Edward Maurice in a blog. It affects the Javadoc tool and the documents it creates.
“Some HTML pages that were created by any 1.5 or later versions of the Javadoc tool are vulnerable to frame injection,” he said. “This means that this vulnerability (CVE-2013-1571) can only be exploited through Javadoc-generated HTML files hosted on a web server. If exploited, this vulnerability can result in granting a malicious attacker the ability to inject frames into a vulnerable web page, thus allowing the attacker to direct unsuspecting users to malicious web pages through their web browsers.”
The fix updates the Javadoc tool so that it doesn’t produce vulnerable pages anymore, and it also creates a utility, the Java API Documentation Updater Tool, to fix previously produced (and vulnerable) HTML files.
Obviously, Oracle is recommending that the update be applied ASAP: “Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU (critical patch update) fixes as soon as possible,” it said in the security bulletin. It’s a sentiment echoed by the Department of Homeland Security’s Computer Emergency Readiness team (US-CERT), which said that it “encourages users and administrators...to follow best practice security policies to determine which updates should be applied."
In a perfect world, all systems would be updated immediately. But Oracle does offer two workarounds for those unable to do that right away. “It may be possible to reduce the risk of a successful attack by restricting network protocols required by an attack...[and] removing privileges or the ability to access the packages from unprivileged users,” the advisory said. “Both approaches may break application functionality, so Oracle strongly recommends that customers test changes on non-production systems.”
It's a smart inclusion to the alert, considering that Websense Security Labs in a March study found that close to 75% of end-users are using a Java Runtime Environment release that is more than six months out of date. Almost two-thirds of users are a year behind, and more than 50% are two years behind. A third are three years behind.
Exploitable Java security holes appear to be snowballing in frequency, according to one researcher. “We have seen many Java issues recently, and [we compared] Java vulnerabilities for the first half for the past three years,” said Amol Sarwate, director of engineering at Qualys, in a blog. “This year we had 137 vulnerabilities as compared to just 28 and 38 during the same period for the last two years.”