June 2011 Java SE Critical Patch Update Released
By Eric P. Maurice-Oracle on Jun 07, 2011
Hi, this is Eric Maurice.
Oracle just released the June 2011 Critical Patch Update for Java SE. Today’s Java Critical Patch Update provides fixes for 17 new security vulnerabilities.
Out of these 17 vulnerabilities, 9 have received a CVSS Base Score of 10.0. This means that, in case of successful exploitation of any of these vulnerabilities, a complete compromise of the targeted system is possible. Per Oracle policies, we report the highest CVSS score across all possible platforms. In the above example, this means that the reported CVSS score is 10.0 to reflect the practice of many Windows users of running their systems with Administrative privileges. On other operating systems (e.g. Linux, Unix), and when Java is executed by users with limited privileges, the CVSS score for these vulnerabilities would be 7.5 to reflect a compromise of the Java application, but not a complete compromise down to the OS layer. The CVSS Base Scores for the remaining 8 vulnerabilities fixed in this Java Critical Patch Update range from 2.6 to 7.6.
1 of these 17 vulnerabilities is specific to server deployment of Java. This means that this vulnerability can only be exploited by supplying malicious input to APIs in the specified Component (e.g. through a Web Service). It cannot be exploited through the use of Java Web Start applications or Java applets.
Out of these 17 vulnerabilities, 5 affect client and server deployments of Java. This means that these vulnerabilities can be remotely exploited by supplying malicious data to APIs in the affected component of the server or be exploited through untrusted Java Web Start applications and untrusted Java applets of the clients. (See discussion of trusted and untrusted applications below.) 11 of the vulnerabilities fixed in this Critical Patch Update affect client-only deployments. This means that these vulnerabilities can only be exploited through untrusted Java Web Start applications and untrusted Java applets.
Java is designed to execute untrusted Java Web Start applications and untrusted applets in the Java sandbox with limited privileges. However, if successfully exploited, the vulnerabilities affecting client deployments fixed in this Critical Patch Update can escape the sandbox, and in some instances (as denoted by a CVSS Base Score of 10.0), result in the full compromise of the targeted system.
Two conditions are required before Java applets or Java Web Start applications are considered trusted. They have to be signed, and the user is required to click "Run" in response to a security dialog prior to their execution. In other words, clicking "Run" makes the signed applet or signed Java Web Start application "trusted". When trusted, such Java Web Start applications and Java applets can run outside the sandbox and will execute with the privileges of the user running them. Trusted applets and trusted Java Web Start application can access the same resources to which the user has access: e.g. they can read/write the same files to which the user can read/write; they can make network connections, etc. As a result, users should exercise caution prior to allowing signed Java applets and signed Java Web Start applications to run.
If after being prompted to run such a signed Web Start application or signed Java applet, the user clicks "Cancel" in the security dialog (instead of “Run”), the signed applet or Web Start application will execute as untrusted, just like an unsigned applet, and in the absence of security vulnerability, will be confined to the Java sandbox.
Due to the high severity of these vulnerabilities, Oracle recommends that customers obtain and apply these security fixes as soon as possible:
Developers should download the latest release at http://www.oracle.com/technetwork/java/javase/downloads/index.html.
Java users should download the latest release of JRE at http://java.com, and of course
Windows users can take advantage of the Java Automatic Update to get the latest release.
For More Information:
The Critical Patch Updates and Security Alerts page is located at http://www.oracle.com/technetwork/topics/security/alerts-086861.html
More information on Oracle Software Security Assurance is located at http://www.oracle.com/us/support/assurance/index.html
Consumers can go to http://www.java.com/en/download/installed.jsp to ensure that they have the latest version of Java running on their desktops. More information on Java Update is available at http://www.java.com/en/download/help/java_update.xml