Oracle recently released Java's Critical Patch Update, or CPU, for February. In other words, if you have not updated Java, now is the time to do so. Oracle only releases CPUs for Java four times per year, and this month's update fixes 21 vulnerabilities. The next CPU is set to be released on June 7, 2011.
Of the 21 vulnerabilities, 19 can be exploited remotely by hackers via a network. Even more alarming is that they can be exploited without a username or password. While the vulnerabilities susceptible to remote attacks are of concern, there are even more pressing issues. Eight of the vulnerabilities have a 10.0 rating on the CVSS, or Common Vulnerability Scoring System. The CVSS is the industry standard that is used to rate the severity of security vulnerabilities in computer systems, and 10.0 is the highest rating on the scale.
Java has a rather poor recent history when it comes to exploitation, and the blame has been divided amongst the technology's users and Oracle. Oracle's patching with Java has been criticized for its lack of effectiveness and poor design. Many believe this is the reason why so many users have failed to update Java in the past. Statistics from 2010 reflect Java's updating problem and the disconnect with its users. Cisco, a networking vendor, reported that Java was exploited 3.5 times more than Adobe's PDF Reader last year, earning it the dubious label of the most exploited client-side technology on the market.