An update to Java from Oracle patches an ominous-looking set of vulnerabilities.
The new version Java 6 Update 22 (updates are also available for the 5.0 version of Java) fixes 29 vulnerabilities, 15 of which have a severity rating of 10.0 on the CVSSv2 scale, the highest possible score. This means that it doesn't get any more severe than these 15.
Beware the usual default selection of some other software you don't need or want, such as the Bing Toolbar or free McAfee scanner.
Take a look at the list of individual vulnerabilities on the list if you want to get a sense of just how serious this update is. CVSSv2 is a standard for rating characteristics and severity of vulnerabilities and it goes, in a sense, into too much detail.
Brian Krebs recently reported on how Java has become the top target for exploit writers, surpassing even Adobe products. Java is widely deployed on systems where the user has little or no knowledge that it's even there. Vulnerabilities in old versions allow drive-by compromise of the computer.
This latest set of vulnerabilities fits right in that tradition. Take CVE-2010-3563, called Sun Java Web Start BasicServiceImpl Remote Code Execution Vulnerability by TippingPoint's Zero Day Initiative.
'This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of the Sun Java Runtime. User interaction is required in that a target must visit a malicious page.'
The description should say 'or a legitimate page that has been compromised by cross-site scripting or SQL injection or a compromised advertisement so as to include malicious script.
Patch now, or maybe just get rid of Java. I did this a while on one of my systems and it's mostly been OK, but there have been several instances where I have been seriously inconvenienced. Usually it's a site with some custom uploader written in Java.
No comments:
Post a Comment