Oracle releases latest round of Java security patches

Oracle has released critical patch updates containing 40 security fixes across Java SE products.

James Martin/CNET

Oracle has released fixes for multiple products, many of which are aimed at preventing remote exploitation without authentication.

On Tuesday, the technology giant and Java software maker released its June 2013 Critical Patch Update for Java SE. The latest patch update includes 40 security fixes, 37 of which aimed at stopping attackers exploiting software remotely without the need for a username or password.

The majority of the security fixes, 34 in total, only affect client deployments. Under Oracle's CVSS rating system, some flaws rate as "critical," attaining the highest rating of 10.

In addition, four vulnerabilities are able to affect both client and server deployments, with the most severe flaw reaching a CVSS base score of 7.5.

One security vulnerability fixed in the latest round of updates affects the Java installer, but can only be exploited locally.

The final fix affects the Javadoc tool and any documents created by Oracle's software. In Javadoc versions 1.5 or later, a vulnerability in Javadoc-generated HTML files hosted on a web server allows hackers to inject malicious frames into a vulnerable web page, which in turn means that visitors may be redirected to other sites through their browsers.

The security patch offered removes this issue, and an additional tool — the "Java API Documentation Updater Tool" — will fix previously created and therefore vulnerable HTML files.

Affected past versions of Java SE components include the Java Development Kit and Java Runtime Environment 5.0, 6 and 7. JDK/JRE 7 update 21 and earlier, JDK/JRE 6 update 45 and JDK/JRE 5.0 update 45 and earlier are all vulnerable. In addition, patches are included for JavaFX 2.2.21 and earlier.

Due to the "critical" nature of some security flaws, Oracle recommends applying these patches "as soon as possible" through the usual update channels, either the Java Autoupdate tool or by visiting Java's website.

In April, Oracle released 128 fixes for security vulnerabilities which affected hundreds of products. Software that was vulnerable to security exploits included Oracle Fusion Middleware, Oracle HTTP Server, JRockit, WebCenter and WebLogic. The security fixes protected against threats including remote exploitation and access without authentication.

Dates scheduled for the next round of patch updates are 15 October 2013 and 14 January next year.