Last week Oracle released Java 7 update 10 to the world without fixing a single vulnerability. That doesn’t mean there aren’t serious security improvements though. New settings could make Java users much safer from here forward.
A little over three months since the last update to Java, Oracle has released Java 6 update 26 for Windows, Linux and Solaris.
This update addresses 17 security vulnerabilities and one non-security-related bug. All 17 vulnerabilities allow remote code execution without authentication.
Oracle has rated nine of the flaws as a risk of ten out of ten. All but one of the vulnerabilities affect the Java Runtime Environment client software that runs in your browser.
We have seen great success among attackers using flaws in Java to exploit Windows computers, but also a broader experimentation with building malware that will run on Mac and Linux.
Unfortunately, Mac users will have to wait on Apple to release an update to address these flaws, as Oracle does not provide Java for OS X.
Windows, Linux and Solaris users can download the latest Java from http://java.com/en/download/manual.jsp?locale=en.
If you haven’t already, I recommend testing out your standard OS images without the Java plug-in. Most people aren’t using Java these days and it reduces the attack surface for exploits delivered over the internet.
If you require Java, be sure that you deploy this update. If you aren’t sure it may be worth testing your images without it. The less software plugged into your browser, the harder it is for malcontents to exploit your users.