The vulnerabilities allow attackers to use Java applications or web services in order to remotely install malicious code on computers that run vulnerable versions of Java. Oracle said that such versions are likely to exist on Windows computers because Windows users tend to have administrative privileges. The risk is smaller for other operating systems such as Linux and Solaris, the company noted.
“Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible”, Oracle stressed its advisory.
Oracle acknowledged the following organizations and individuals for assisting with the CPU: Alin Rad Pop (binaryproof) via Tipping Point's Zero Day Initiative; TELUS Security Labs; Chris Ries via TippingPoint; Doug Lea of Oswego State University of New York; Jeroen Frijters; Peter Vreugdenhil of TippingPoint DVLabs; and Timo Warns of PRESENSE Technologies.
Commenting on the Java patch, Wolfgang Kandek, chief technology officer with Qualys, said: "Currently Java's most common version (Java 6) has five vulnerabilities that are critical. They all have a CVSS score above 9, indicating that they can be exploited through the network without authentication and are capable of providing remote control to the attacker. We recommend installing this update as quickly as possible, as Java is frequently used as an initial access method in web-borne attacks.”