Oracle Finally Releases Java 6 Update 24

Martin Brinkmann
Feb 17, 2011
Updated • Mar 30, 2012
Security
|
9

Critical Java vulnerabilities were discovered in the beginning of February which affected the Java Runtime Environment and Java Development Kit. The affected versions were JRE 6 Update 23 and earlier on all supported operating systems. Instead of releasing a security patch right away, Oracle decided to release a command line tool first to patch the vulnerability (see Java Update Addresses Critical Security Vulnerability) . At the same time, they pointed out that "the FPUpdater tool is not intended for use on systems managed through auto-update as this will disable future auto-updates" which left users with the choice of leaving their system vulnerable, or patching it and breaking automatic updates.

Oracle today released the critical patch update Java 6 Update 24 to the public. The update fixes several critical vulnerabilities including the previously discovered vulnerability that causes hangs when parsing strings like “2.2250738585072012e-308" to binary floating point numbers.

The risk matrix shows lists all 21 security fixes included in the update with information about the versions of Java affected, the access vector and if they are remotely exploitable.

Out of these 21 vulnerabilities, 13 affect Java client deployments. 12 of these 13 vulnerabilities can be exploited through Untrusted Java Web Start applications and Untrusted Java Applets, which run in the Java sandbox with limited privileges. One of these 13 vulnerabilities can be exploited by running a standalone application.

In addition, one of the client vulnerability affects Java Update, a Windows-specific component.

3 of the 21 vulnerabilities affect client and server deployments. These vulnerabilities can be exploited through Untrusted Java Web Start applications and Untrusted Java Applets, as well as be exploited by supplying malicious data to APIs in the specified components, such as, for example, through a web service.

3 vulnerabilities affect Java server deployments only. These vulnerabilities can be exploited by supplying malicious data to APIs in the specified Java components. Note that one of these vulnerabilities (CVE-2010-4476) was the subject of a Security Alert released on February 8th.

Finally, one of these vulnerabilities is specific to Java DB, a component in the Java JDK, but not included in the Java Runtime Environment (JRE).

(via)

System administrators and users who have Java installed, either in the form of the Java Runtime Environment (JRE) or the Java Development Kit (JDK) should update the software as soon as possible to protect their systems from possible exploits.

Users who have applied the manual command line patch need to uninstall Java before they can install the new updated version.

Advertisement

Previous Post: «
Next Post: «

Comments

  1. Ron Kunce said on April 22, 2011 at 10:13 pm
    Reply

    Java 6 update 24 (along with 22 and 23) introduced a bug that interferes with ASP Remote Scripting. this is highly documented on the Java Forums page: http://www.java-forums.org/new-java/36522-java-jre-6-update-21-22-rs-problem.html

    However, I have not seen anything that states Oracle has been made aware of this problem or has issued a fix. Do you know anything about this?

  2. swami said on February 20, 2011 at 8:33 am
    Reply

    Thanks.
    It didn’t help. I get these ‘There was an error removing \Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-ABCDEFFDCBA}. The error returned was 124.’. 13 of them.
    I haven’t had even Firefox installed.

    1. Martin said on February 20, 2011 at 9:35 am
      Reply

      Does the directory exist?

      1. swami said on February 20, 2011 at 11:58 am
        Reply

        No, it doesn’t.
        I can dl the installation packet (offline), but I can’t install it. First time installation said the packet is incompatible, then it just don’t start. The version I did dl is for sure the right one.
        Somehow the patch and I screwed the things up.

  3. swami said on February 19, 2011 at 2:20 pm
    Reply

    I, in a haste, uninstalled the patched JREv23 before deleting the files made by the patch. Then deleted those files, because I couldn’t upgrade to v24.
    Now I can’t install v24 at all. Versions v21 and v22 I can.
    What to do?

    1. Martin said on February 19, 2011 at 3:00 pm
      Reply
  4. DanTe said on February 17, 2011 at 3:51 pm
    Reply

    Thanks for the link.

    Would you know if Window’s implementation of Java also has that vulnerability?

    1. Martin said on February 17, 2011 at 3:57 pm
      Reply

      According to that page all operating systems that the JRE runs on are affected. http://www.oracle.com/technetwork/java/javase/fpupdater-tool-readme-305936.html

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.