When a company recommends users install an update as soon as possible, you know there are some issues, but that is just what Oracle did as it published its June Critical Patch Update for Java SE.
The update fixes 40 security holes, none of which require authentication and 37 of which are exploitable over the network.
Oracle’s risk scoring gives 11 of the vulnerabilities a maximum score of 10.0 on the CVSS scale. The flaws affect all versions of Java including Java 7 Update 21 and earlier, Java 6 Update 45 and earlier and Java 5 update 45 and earlier, though some only affect one or another particular major version of Java. JavaFX 2.2.21 and earlier versions of JavaFX also suffer from issues.
Only the current version of Java, Java SE 7, will update for free. Downloads of the new version, Java SE 7 Update 25, are available and existing installs should auto-update. Mac OS X users will get an updated Java SE 6 for their systems as an automatic update; Java SE 7 on Mac OS X will update via Oracle. Users of other older versions of Java will only get updates if they have a maintenance contract with Oracle.
As with previous updates, only four holes affect server installations of Java while nearly all affect Java client deployments. Eight of the top-scoring vulnerabilities are in the 2D graphics subsystem. A number also affect AWT and the Java Management Extensions (JMX).
One bug only affects the production of documentation of Javadoc HTML pages when placed on a web server which allowed an attacker to insert frames; the company recommends users of Javadoc regenerate their documentation. Of the few local holes discovered, one was in the installer, one in the networking subsystem and one in the 2D graphics subsystem.