X
Tech

Sun releases JRE Version 6 Update 7, 90% of desktops currently at risk*

* The 90% of desktops currently at risk comes from numbers presented at the Java One Keynote in 2008.  If you aren't patched, get the Java control panel up and get updated, or go to Sun's site to download the update, cause this one's big.
Written by Nathan McFeters, Contributor

* The 90% of desktops currently at risk comes from numbers presented at the Java One Keynote in 2008.  If you aren't patched, get the Java control panel up and get updated, or go to Sun's site to download the update, cause this one's big.

Yesterday Sun released JRE Version 6 Update 7 that according to Sun address eight issues.  Of course, wherever there is a Java update, you can assume John Heasman had a hand in it.  I've decided that number of Java Updates is directly related to the amount of John Heasman research time.  He's had a hand in all of the recent Java updates.  You might remember Heasman from such ZDNet postings of mine as ToorCon Seattle 2008 (where I discussed numerous pieces of John's research) and Defeating the Same Origin Policy Part 1 and Part 2.  From Heasman's blog:

According to Sun's Security Blog the latest update fixes 8 issues. I'll be releasing advisories and blogging on the issues that I had a hand in, namely:

    238666 Native code execution through malformed TrueType font headers in untrusted Java applet.

    238905 Multiple buffer overflows in Java Web Start JNLP handling

    238905 Security problems with the JRE family version support

If you're thinking the first two issues sound all too familiar, you'd be right. I previously discussed this font issue that led to execution of arbitrary code. And the JNLP parsing code has had a number of similar buffer overflows (details here, here and here) ... not so much "same bug, different app" (the theme of this Brett Moore presentation) as "same bug, same app!"

For the record, Black Hat this year will feature some more Java bugs, which actually may not be patched at the time of release during Black Hat.  John, Rob Carter, and I will be talking about this with a good chunk of the research being attributed to Billy RiosNot that I'm pimping our talk, but it will be outstanding and you should definitely come see it.  Ok, I'm pimping my talk, shoot me.

-Nate

Editorial standards