Oracle update of Java closes critical holes
In the notes on the June 2012 Critical Patch Update for Java, Oracle recommends that Java SE users should upgrade their JDK and JRE packages as soon as possible. The update fixes 14 vulnerabilities, of which 6 are classified as critical because they allow attacks over the network without authentication.
Oracle supplies little information about the bugs themselves. The six critical bugs appear to involve the Web Starting of applications and applets which are untrusted either because they were delivered without a certificate or because the certificate testing failed. One of the holes can also be exploited by accessing it through a web service.
The Linux vendor Red Hat already has more information in its database. One of the now-fixed bugs, CVE-2012-1723, concerns the HotSpot JVM and a failure to properly check accessibility rules and object attributes, allowing a crafted class file to evade the Java sandbox's restrictions. Another issue, CVE-2012-1713, involved multiple flaws in the native code of the font manager – this could allow a crafted font file to crash or corrupt the memory of the Java Virtual Machine and, in turn, possibly allow code execution.
A flaw in the Swing GUI library's SynthLookAndFeel, CVE-2012-1716, failed to prevent access to UI elements from outside an application; a malicious application could use this flaw to crash the JVM or bypass its sandbox. The same results could be obtained from exploiting CVE-2012-1711, caused by a lack of proper protection in CORBA data models.
The updates are required for Java SE 7 (Update 4 and earlier), 6 (Update 32 and earlier), 5 (Update 35 and earlier) and 1.4.2_27 and earlier. JavaFX 2.1 and earlier are also affected. The updates are available for Windows, Linux and Solaris from Oracle's download page.
For Mac OS X 10.6 and 10.7, Apple has offered updated versions of its Java 6 which address the same issues at the same time as Oracle's updates. Previously, there had been a gap of some months between an Oracle update and equivalent Apple update, but after the Flashback malware exploited that gap, Apple and Oracle have moved to coordinate their updates more tightly. Oracle are already responsible for Java 7 on Mac OS X and the Java 7 updates are also available from the Oracle download page. The updates include a new feature which automatically disables the Web Start and applet support if they are unused for 35 days or if they don't meet the daily updated "minimum safe version" requirements for Java.
(djwm)