Java SE users should upgrade their JDK and JRE packages as soon as possible, Oracle officials said in their Critical Patch Update last week.
That update fixes 14 vulnerabilities, of which six were critical because they allow attacks over the network without authentication.
While Oracle supplies little information about the bugs themselves, the six critical issues appear to involve the Web starting of applications and applets which are untrusted either because they delivered without a certificate or because the certificate testing failed. One of the holes can also suffer exploitation by accessing it through a web service.
Linux vendor Red Hat already has more information in its database. One of the now-fixed bugs concerns the HotSpot JVM and a failure to properly check accessibility rules and object attributes, allowing a crafted class file to evade the Java sandbox’s restrictions.
Another issue involved multiple flaws in the native code of the font manager – this could allow a crafted font file to crash or corrupt the memory of the Java Virtual Machine and, in turn, possibly allow code execution.
A flaw in the Swing GUI library’s SynthLookAndFeel failed to prevent access to UI elements from outside an application; a malicious application could use this flaw to crash the JVM or bypass its sandbox. The same results could occur from exploiting caused by a lack of proper protection in CORBA data models.
The updates are a must for Java SE 7 (Update 4 and earlier), 6 (Update 32 and earlier), 5 (Update 35 and earlier) and 1.4.2_27 and earlier. JavaFX 2.1 and earlier also feel the affects. The updates are available for Windows, Linux and Solaris from Oracle’s download page.