Oracle released Java 6 Update 26 on June 8. While the update was part of Oracle's regular schedule when it comes to Java releases, it was of particular importance due to the various security vulnerabilities it patched. In all, 17 remote execution vulnerabilities in Java were closed.
The 17 patched vulnerabilities were not only found in Java itself, but also in browser plugins. According to Oracle, the vulnerabilities provided hackers an avenue to execute code on affected systems remotely and without authentication. Nine of the holes were considered to be severe, earning risk ratings of 10 out of 10 in cases where Administrator accounts on Windows machines were affected. Much of the severity of these ratings was due to the fact that hackers could essentially take control of the machines once in. The browser-based Java Runtime Environment plugin was a focus of the update as well, as almost all of the vulnerabilities affected it.
Java 6 Update 26 can be downloaded by using the Java updater or by visiting www.java.com. Downloading and installing the update will fix any issues installed locally as well as those affecting browser plugins. At this moment, the update is only available for those using the Windows, Linux, and Solaris platforms. Since Oracle does not provide Java for the OS X platform, Mac users will have to wait for Apple to fix the issues. If the past is any indication, Apple should begin patching the problems soon, as it last fixed Java issues in its Leopard and Snow Leopard platforms in March, one month after Oracle did the same. Apple users should see better patching coordination in the future, however, as Apple said that Java would be installed and patched directly through the Oracle site once Mac OS X Lion 10.7 is released.
It's really no mystery as to why hackers seem to focus so heavily on Java. The program's widespread existence makes it a target worthy of hackers' efforts. As reported by Symantec's Internet Security Threat Report released in April, Java is installed on over 850 million computers across the globe, and it was responsible for 17 percent of browser plugin vulnerabilities in 2010. Java combines with Adobe Reader and Internet Explorer to form a trio of the most frequently attacked programs, making it essential for users to perform regular updates.
Oracle recommends that users download the latest Java update as soon as possible to avoid the threat of any attacks. This goes for users on all platforms, not just Windows. In a post on the NakedSecurity blog, Chester Wisniewski, a senior security advisor at Sophos, wrote the following: “We have seen great success among attackers using flaws in Java to exploit Windows computers, but also a broader experimentation with building malware that will run on Mac and Linux.”
While some believe that Java is unnecessary and should be uninstalled, it is still used in various instances. Some banking websites, Vmware products, and the popular OpenOffice.org productivity suite use Java. Thus, many recommend that you keep the program installed on your computer, remembering to update it on a regular basis.