Oracle released update 26 for its Java SE 6 platform in order to address remotely exploitable vulnerabilities, many of which could result in arbitrary code execution. While the plant floor may or may not be running Java, since there are enterprise connections, there could be some security issues.
Of the included patches, eleven apply only to the Java SE client and one only to the server version. The rest affect both platforms.
Nine vulnerabilities carry the maximum score of 10 on the CVSS scale. This means an attacker can exploit the vulnerabilities with ease and no authentication, which can result in a complete confidentiality, integrity and availability compromise.
The scores calculation came under the presumption users have administrative privileges, typically on Windows, and are capable of running Java applets or Java Web Start applications which is default behavior.
Three of the remaining vulnerabilities carry a CVSS base score of 7.6, four of 5.0 and one of 2.6. “Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU (Critical Patch Update) fixes as soon as possible,” Oracle wrote in its advisory.
Java vulnerabilities commonly undergo exploitation via drive-by download attacks to infect users with malware. In fact, according to statistics grabbed from live web exploit kit installations, Java exploits are the most effective ones.
This suggests the presence of a large number of outdated Java installations on people’s computers and the ineffective Java updater, which only kicks in once a month.
Java is a requirement for some popular desktop applications, like OpenOffice, to function properly.
Since the vast majority of attacks come from the web, where there isn’t much Java content anymore, users should consider manually removing the Java browser plug-in. Please keep in mind, however, that each Java upgrade re-installs it.