Latest Java Patch Released Fixing 40 Security Flaws

Do you use Java? If so, be aware that Oracle just released its "June 2013 Critical Update for Java SE," a collection of code that provides 40 new security fixes. All but three of them are security holes that can be exploited from a remote location without any kind of authentication. Four of the vulnerabilities affect client and server deployments, while 34 only affect client deployments, Oracle said, adding that Java users should waste no time applying the update.

"Oracle recommends that this Critical Patch Update be applied as soon as possible because it includes fixes for a number of severe vulnerabilities," Oracle said in a statement. "Note that the vulnerabilities fixed in this Critical Patch Update affect various components and, as a result, may not affect the security posture of all Java users in the same way."

Java Bandaid

One of the security holes Oracle plugged affects the Javadoc tool and the documents it creates. According to Oracle, some HTML pages created by any 1.5 or later versions of its Javadoc tool are susceptible to frame injection. If exploited, a remote attacker could inject frames into a vulnerable webpage, allowing him/her to direct users to malicious webpages. It received a CVSS Base Score of 4.3, which would classify it as a "major" bug.