October's Critical Patch Update (CPU) is the first to include Java, and updating Java is described as a top priority for this month as it addresses 51 vulnerabilities, 12 of which have the highest CVSSv2 score of 10, indicating that these vulnerabilities can be used to take full control over the attacked machine over the network without requiring authentication. Oracle's update on Java goes monthly (from quarterly) this month.
Wolfgang Kandek, CTO, Qualys says that, as “Java as it widely installed and widely attacked; it should be on the top of your patch list for today“.
The majority of vulnerabilities are concentrated on the Java client side, i.e. in desktop/laptop deployments, with the most common attack vector being web browsing and malicious web pages, but there are two highly critical vulnerabilities that also apply to server installations – CVE-2013-5782 and CVE-2013-5830.
The new version is Java 7 update 45, and Kandek advises that you should update as quickly as possible on your desktop and laptop machines. Java 6 is also vulnerable to 11 of the 12 highly critical vulnerabilities, but there are no more public patches for Java 6.
The recommended action for Java 6 here is to upgrade to Java 7 if possible. If you cannot upgrade, Kandek recommends isolating the machine that needs Java 6 running and not using it for any other activities that connect it to the Internet, such as e-mail and browsing.