Oracle released a critical patch update (CPU) last week to patch 14 Java SE vulnerabilities. The vulnerabilities are of particular concern because they have the potential to allow cybercriminals to leverage Java applications or web services to install malicious code on computers running unpatched versions of Java.
Oracle listed Windows computers as being the most vulnerable to attacks due to the fact that many Windows users have administrative privileges, but it also said users running Linux, Solaris, or other operating systems also bear some risk. “Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible,” urged the advisory.
Qualys CTO Wolfgang Kandek commented on the latest Java CPU: “Currently Java's most common version (Java 6) has five vulnerabilities that are critical. They all have a CVSS score above 9, indicating that they can be exploited through the network without authentication and are capable of providing remote control to the attacker. We recommend installing this update as quickly as possible, as Java is frequently used as an initial access method in web-borne attacks.”