Critical Java vulnerabilities were discovered in the beginning of February which affected the Java Runtime Environment and Java Development Kit. The affected versions were JRE 6 Update 23 and earlier on all supported operating systems. Instead of releasing a security patch right away, Oracle decided to release a command line tool first to patch the vulnerability (see Java Update Addresses Critical Security Vulnerability) . At the same time, they pointed out that "the FPUpdater tool is not intended for use on systems managed through auto-update as this will disable future auto-updates" which left users with the choice of leaving their system vulnerable, or patching it and breaking automatic updates.
Oracle today released the critical patch update Java 6 Update 24 to the public. The update fixes several critical vulnerabilities including the previously discovered vulnerability that causes hangs when parsing strings like “2.2250738585072012e-308" to binary floating point numbers.
The risk matrix shows lists all 21 security fixes included in the update with information about the versions of Java affected, the access vector and if they are remotely exploitable.
Out of these 21 vulnerabilities, 13 affect Java client deployments. 12 of these 13 vulnerabilities can be exploited through Untrusted Java Web Start applications and Untrusted Java Applets, which run in the Java sandbox with limited privileges. One of these 13 vulnerabilities can be exploited by running a standalone application.
In addition, one of the client vulnerability affects Java Update, a Windows-specific component.
3 of the 21 vulnerabilities affect client and server deployments. These vulnerabilities can be exploited through Untrusted Java Web Start applications and Untrusted Java Applets, as well as be exploited by supplying malicious data to APIs in the specified components, such as, for example, through a web service.
3 vulnerabilities affect Java server deployments only. These vulnerabilities can be exploited by supplying malicious data to APIs in the specified Java components. Note that one of these vulnerabilities (CVE-2010-4476) was the subject of a Security Alert released on February 8th.
Finally, one of these vulnerabilities is specific to Java DB, a component in the Java JDK, but not included in the Java Runtime Environment (JRE).
System administrators and users who have Java installed, either in the form of the Java Runtime Environment (JRE) or the Java Development Kit (JDK) should update the software as soon as possible to protect their systems from possible exploits.
Users who have applied the manual command line patch need to uninstall Java before they can install the new updated version.Advertisement
Ghacks is a technology news blog that was founded in 2005 by Martin Brinkmann. It has since then become one of the most popular tech news sites on the Internet with five authors and regular contributions from freelance writers.