Java 6 Update 26 Fixes Critical Security Issues

Oracle has released update 26 for its Java SE 6 platform in order to address a number of seventeen remotely exploitable vulnerabilities, many of which could result in arbitrary code execution.

Of the included patches, eleven apply only to the Java SE client and one only to the server version. The rest affect both of the platform's flavors. Nine vulnerabilities carry the maximum score of 10 on the CVSS scale. This means that they can be exploited remotely with ease and no authentication resulting in a complete confidentiality, integrity and availability compromise.

The scores were calculated under the presumption that users have administrative privileges, typically on Windows, and are capable of running Java applets or Java Web Start applications which is default behavior. Three of the remaining vulnerabilities carry a CVSS base score of 7.6, four of 5.0 and one of 2.6. "Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU (Critical Patch Update) fixes as soon as possible," the company writes in its advisory.

Java vulnerabilities are commonly exploited in drive-by download attacks to infect users with malware. In fact, according to statistics grabbed from live web exploit kit installations, Java exploits are the most effective ones. This suggests the presence of a large number of outdated Java installations on people's computers and the ineffective Java updater, which only kicks in once a month, is partially responsible for that.