Oracle patches 17 Java security vulnerabilities in one go

Out of 17 patches, the update included 9 critical updates covering coding areas such as the 2D graphics, AWT, Deployment, Hotspot, Sound and Swing subsystems.

Owing to the potential threat of a successful attack, Oracle is advising its users to update to JDK or JRE 6 Update 26 or install updates for older Java branches as soon as possible.

The Heisse (H) Online newswire says that Oracle has given 9 of the 17 vulnerabilities a CVSS (Common Vulnerability Scoring System) score of 10.0 - "the highest possible level of severity."

"According to Oracle, all of these vulnerabilities can be remotely exploited without authentication. In some cases, there are multiple instances of each vulnerability which can be exploited by untrusted Java Web Start applications or applets", the newswire says.

"Oracle says the CVSS rating of 10.0 applies only on systems where the user has administrator privileges, as is typical on Windows; where the user does not have administrator privileges, as is typical on Linux or Solaris, the score falls to 7.5 for the vulnerabilities", it adds.

Security researcher Brian Krebs, meanwhile, said that "it looks like most - if not all - of the vulnerabilities addressed by this new version may be exploited remotely without authentication."

The latest version is Java 6 Update 26 (v., and is available either through the updater built in to Java (accessible from the Windows control panel) or by visiting, he noted in his overnight security blog.

"If you're not sure which version you have or whether you've got the program installed at all, click the `Do I have Java' link below the red download button on the Java homepage", he says.

According to Krebs, Java's broad install base has made it a major target for computer crooks.

"It certainly does not help that so many users fail to keep this very powerful program updated. If you have no use for Java, my advice is to get rid of it", he asserts.

"If you can't bring yourself to do that, consider disabling the Java plug-in(s) in your browser of choice unless and until you need the program."


What’s Hot on Infosecurity Magazine?