Oracle Patch Fixes 21 Java Vulnerabilities

Oracle recently released Java’s Critical Patch Update, or CPU, for February. In other words, if you have not updated Java, now is the time to do so. Oracle only releases CPUs for Java four times per year, and this month’s update fixes 21 vulnerabilities. The next CPU is set to be released on June 7, 2011.

Oracle’s newest Java update addresses issues on both the client and the server side. As such, both end-users as well as enterprises should ensure that the latest update is installed and running to avoid the exploitation of the various vulnerabilities that exist. 

The majority (12) of the fixed vulnerabilities exist on the client side, and are open to exploitation via untrusted Java Applets and untrusted Java Web Start Applications. To further address the client side issues, Oracle paired the Java Runtime Environment 6 update 24 with the CPU.

Oracle patched three vulnerabilities on the server side that targeted Java’s server deployments. A binary floating-point number flaw accounts for one of the three fixed vulnerabilities. Oracle warned users about this issue earlier this month, prior the the release of the CPU.

{mospagebreak title=Vulnerabilities Fixed}

Of the 21 vulnerabilities, 19 can be exploited remotely by hackers via a network. Even more alarming is that they can be exploited without a username or password. While the vulnerabilities susceptible to remote attacks are of concern, there are even more pressing issues. Eight of the vulnerabilities have a 10.0 rating on the CVSS, or Common Vulnerability Scoring System. The CVSS is the industry standard that is used to rate the severity of security vulnerabilities in computer systems, and 10.0 is the highest rating on the scale.

Java has a rather poor recent history when it comes to exploitation, and the blame has been divided amongst the technology’s users and Oracle. Oracle’s patching with Java has been criticized for its lack of effectiveness and poor design. Many believe this is the reason why so many users have failed to update Java in the past. Statistics from 2010 reflect Java’s updating problem and the disconnect with its users.  Cisco, a networking vendor, reported that Java was exploited 3.5 times more than Adobe’s PDF Reader last year, earning it the dubious label of the most exploited client-side technology on the market.

For more on this topic, visit

[gp-comments width="770" linklove="off" ]

chat sex hikayeleri Ensest hikaye