Oracle has released version SE 7, Update 25 as its latest update for Java.
The update addresses 40 vulnerabilities in the software, which include 37 flaws that can be remotely exploited without authentication. In addition, 11 of the bugs received the highest common vulnerability scoring system (CVSS) rating of 10.0 due to their significant threat level to users.
Brian Gorenc, manager of HP Security Research's zero-day initiative team, said that ten of the high-risk vulnerabilities were discovered by the company and included flaws covering "a wide spectrum of software weaknesses" including sandbox bypasses and heap-based buffer overflows.
“These specific vulnerability types can be leveraged by attackers to compromise machines and execute arbitrary code,” Gorenc told SC Magazine US.
“With most of these issues originally reported by [us] in early April, Oracle seems to be reacting quickly to high-severity vulnerabilities. We look forward to seeing this trend continue.”
Oracle posted an advisory to its site on Tuesday that highlighted a fix in its Javadoc tool, which is used for generating application programming interface (API) documentation in HTML format. Prior to the patch, API documentation in HTML format generated by the Javadoc tool was vulnerable to frame injection when hosted on a web server.
Starting in October, Java announced that its updates will be released on a quarterly basis, instead of three times a year, as part of Oracle's main Critical Patch Update.
Amol Sarwate, director of engineering at Qualys, said: “All vulnerabilities except three can be exploited remotely by an attacker, and in most cases, the attacker can take complete control of the system. An attacker can achieve this using a variety of drive-by techniques letting a Java applet run arbitrary code outside of the Java sandbox.
“Todays CPU affects JDK and JRE versions 5, 6 and 7. We highly recommend applying these patches as soon as possible.”
Ross Barrett, senior manager of security engineering at Rapid7, said: “Of the 40 fixes in Oracle's Java SE CPU, 37 are remotely exploitable. The majority are vulnerable through browser plug-ins, 11 of which are exploitable for complete control of the underlying operating system.
“The latest versions of Java 7, 6 and 5 are all vulnerable to most of these conditions. It's highly likely that earlier versions are also vulnerable.
Java servers are affected by four of the disclosed issues, the worst of which scores a CVSS score of 7.5 out of 10 in terms of base risk.
“The recommendation here, as always, is for all users to patch as quickly as possible. There are a good number of researchers that have been credited for these fixes and it's likely that proof of concept code will be released now that patches are available.”