Java update plugs 27 critical security holes

Java update plugs 27 critical security holes

Summary: The update, available for Windows, Solaris and Linux, addresses issues that could be remotely exploitable without authentication.

SHARE:

Oracle has shipped a Critical Patch Update for Java SE and Java for Business to fix 27 security flaws that could expose users to malicious hacker attacks.

The update, available for Windows, Solaris and Linux, addresses issues that could be remotely exploitable without authentication.

"Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible," the company said in an advisory.

Affected products include:

  • Java SE: JDK and JRE 6 Update 18 and earlier for Windows, Solaris, and Linux;  JDK 5.0 Update 23 and earlier for Solaris; and SDK 1.4.2_25 and earlier for Solaris
  • Java for Business: JDK and JRE 6 Update 18 and earlier for Windows, Solaris and Linux, JDK and JRE 5.0 Update 23 and earlier for Windows, Solaris and Linux; and SDK and JRE 1.4.2_25 and earlier for Windows, Solaris and Linux

Vulnerabilities in Java also affect Apple's Mac OS X but Apple's patches are usually delayed for a very long time.

Topics: Software Development, Open Source, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

44 comments
Log in or register to join the discussion
  • RE: Java update plugs 27 critical security holes

    updated 18 was downloaded and installed on my computer on 3/12/10, this is not new news.
    reverseswing
    • Update 19

      This is Update 19 and it's new. The story says that the flaws affect
      Update 18 (yours). Go patch.

      _r
      Ryan Naraine
      • Yeah, Java has already updated to version 19 of 6.0

        SO this guy is behind the times.
        Lerianis10
  • Apple?s patches are usually delayed for a very long time

    So, once again, vulnerability information is in the
    wild and Apples customers are left hanging there.

    Would-be attackers can now run with the vulnerability
    information which accompanies these patches. The can
    even diff the source before and after to pinpoint
    exactly where the vulnerabilities are.

    The infinite loop control freaks insist on rolling
    their own Java derivative (partly because of the
    hardware abstraction). But they will - as usual - take
    their time and leave their customers at risk.
    honeymonster
    • Java is owned by Sun (now Oracle), not Apple.

      So why should you get the patch from Apple?

      Unless they did something completely retarded like made it impossible
      use the updates to Java provided by the people who own Java, which
      would make no sense whatsoever, what does Apple have to do with this?
      AzuMao
      • Apple controls Java updates for OS X.

        http://java.com/en/download/manual.jsp

        "Apple Computer supplies their own version of Java. Use the Software Update feature (available on the Apple menu) to check that you have the most up-to-date version of Java for your Mac."
        rtk
        • ???

          What is the point of them doing this? I don't understand.
          AzuMao
          • Agreed 100%

            There's no point other than control.
            rtk
          • Apple wants to ensure

            that even Java apps have that Apple "look and
            feel" using e.g. native widgets (or something
            which looks like them).

            Hence, they cannot do with Suns built-in
            generic platform abstraction.

            It's a control issue, basically. Somewhat
            legitimate when you consider that Apples
            profile *is* attention to details.

            But the fact that they are consistently late
            every time Java is patched means that Apple
            customers live through a period with increased
            risk because the vulnerabilities have been
            disclosed.
            honeymonster
          • I have to agree

            If they would control the user's experience to the extent to which they do so now, they have to take a corresponding level of responsibility--the whole idea of "one throat to choke" is that the person attached to the throat is supposed to be willing to own up to the responsibility that goes along with it.

            If Apple cannot keep their Java in step with the main iteration, they are potentially endangering their user base.
            Third of Five
          • But isn't Java skinnable? Why distribute a custom version of it..

            ..and in doing so delay critical patches?
            AzuMao
          • Yes, Java is skinnable

            But I suspect that there's more to it than just
            Java L&F - like how Java apps integrate with
            the Dock or Expos?. That integration is
            something Sun would not agree to do - as Sun
            always believed that the built-in hw
            abstraction should be enough for everybody.

            Apple hasn't made any official statements as to
            why they distribute their own Java.

            But this problem is really just one example of
            a systemic problem in OSX.

            Big parts of OSX is built on open source and
            other 3rd party software licensed by Apple.
            Often these products are available independent
            of OSX (especially the open source products).
            And they often follow their own release
            schedule.

            A year or so ago I did a small test. I just
            compared versions of libxml in OSX with
            versions available elsewhere. An lo and behold,
            OSX was behind. A quick check on what was fixed
            in the later versions revealed a number of
            vulnerabilities fixes.

            <b>Vulnerabilities which were sitting in
            current versions of OSX</b>. Actually, very
            much like the c library vuln sitting there for
            10 months.

            At any one time a would-be attacker can find a
            number of OSX vulnerabilities which makes good
            exploit candidates simply by comparing versions
            using public available information.

            This is a systemic problem because of the way
            Apple assembles their stack: They cannot
            control the release of information regarding
            vulnerabilities in the stack because they do
            not control that stack nor the information.

            Until the software community comes together and
            are willing to wait for the slowest
            distributors to ready a patch, this is going to
            be a liability with OSX. Apple will always be
            late patching. Information will be freely
            available about candidate exploits.
            honeymonster
          • Control ?

            "But the fact that they are consistently late
            every time Java is patched means that Apple
            customers live through a period with increased
            risk because the vulnerabilities have been
            disclosed"

            Then again, Apple knows JAVA is a major attack vector.

            If Mac users were encouraged to go fetch JAVA updates from
            "the wild", there's the strong possibility a hacker could code a
            Trojan, pose it as a JAVA update, and voila? !

            Or, rather, OOPS.

            By handling JAVA in-house Apple prevents that. And that
            allows them to do sufficient testing to make sure the update is
            compatible before releasing it.

            It may be six of one and half a dozen of another, but I'd rather
            get my updates from a trusted source.

            Should it be faster? Maybe.

            What's your take on M$ and their recent track record on
            vulnerabilities? Ten months on that IE6 exploit, wasn't it?

            Sauce for the Goose, and all that.
            Jkirk3279
          • I still don't get it. I mean I know it's going to be delayed SOMEWHAT..

            ..of course.. but come on. It should only take like half an hour for them
            to apply their little GUI patch and compile it. Or less since they are a
            big company which can afford some serious hardware. So why isn't it
            released yet? I think they must be having some kind of political problems..
            like Sun refuses to give them access to the updated version or something.
            AzuMao
          • Add It To The List ...

            of things you don't understand.

            How do you keep track of THAT list, when you're typing ceaselessly?
            PMC-CON
          • That was very constructive and informative, thank you.

            [b] [/b]
            AzuMao
  • again, it will affect only windoze

    There is no code windoze that can run on Linux.
    Linux Geek
    • Wrong

      Java is platform independent. Better fix your Linux box as well: http://sites.google.com/site/easylinuxtipsproject/java

      Or better even: switch to OpenJDK + the IcedTea plugin.
      pjotr123
    • .... your a morron....

      Java runs inside it's own virtual machine, tus making it so every exploit capable to target anny OS with the Oracle Virtual Machine....


      As long as there a check to see if it's linux, you can actually make something that attacks Macs, Linux and windows at the same time, by exploiting more specific security flaws in the case of so and so OS...

      A flaw cannot work on it's own now... you need to use a collection of flaws to penetrate a target system...


      PS: I am aware that I just destroyed your faith... once more
      Ceridan
      • your own words bonehead!

        [i]A flaw cannot work on it's own now... you need to use a collection of flaws to penetrate a target system...[/i]
        ...and those extra flaws are only available on windoze!
        Linux Geek