21 vulnerabilities just patched in Java 6_24 defined by impact
On Wednesday, February 16, 2011, Oracle, the current owner of the Java technology developed by Sun Corporation, released their Java second update in 6 days. It was just on Feb 10 that Java 6 build 23 was released, plugging a critical vulnerability, which I included in my last Security Patch Roundup, published on Feb 11, 2011. Now, just six days later, Java 6 build 24 has been released, plugging 21 more security holes!
Multiple vulnerabilities have been reported by Secunia and others in Sun Java, which can be exploited by malicious, local users to disclose potentially sensitive information and by malicious people to disclose potentially sensitive information, manipulate certain data, cause a DoS (Denial of Service), and compromise a vulnerable system.
One doesn't really get a sense of how big of a deal this is, until one reads an outline detailing each one of those 21 vulnerabilities and the impact each one can have. Take a stroll over to Secunia Vulnerability Advisory 43262 and scroll down through the long list of these 21 exploitable weaknesses that were just fixed with this week's Java update.
Here is how the impacts of the 21 patched vulnerabilities break down:
- Execution of arbitrary code on unpatched machines: 10
- Disclosure and/or manipulation of sensitive data (espionage, sabotage, data theft): 8
- Code escaping the Sandbox security field (system invasion): 1
- Denial Of Service (DOS) on a server running Java: 1
- Infinite Loop condition (Denial of use of browser, user's Desktop, or even the entire computer): 1
Of these 21 vulnerabilities, the one about the infinite loop is the most interesting, from a mathematical viewpoint:
An error in the "doubleValue()" method in FloatingDecimal.java when converting "2.2250738585072012e-308" from a string type to a double precision binary floating point can be exploited to cause an infinite loop.
This infinite loop condition could be used to sabotage a particular computer, or a network, or computers that manage electro-mechanical systems, reactors and municipal utilities.
The vulnerabilities that allow arbitrary code usually lead to complete takeover of infected machines by cyber criminals. They use these vulnerabilities to download remote control backdoor Botnet executables (used to send spam or launch DDoS attacks), to install hidden rootkits to oversee and protect other installed malware; like data stealing keyloggers to empty your bank, PayPal and stock accounts and fake/rogue security programs that extort cleanup money from victims owning the infected computers.
Go here to download the latest Java Virtual Machine, or go here to see if you have the latest version, or an older, vulnerable version. You must make sure that older versions are uninstalled from your computers, not just left behind. Malware can still exploit older versions left on a computer by specifying the original default path to their executables and JAR files. The new version of Java does remove older versions of the same series, but not previous ones. You'll need to uninstall them manually, via Control Panel (Windows) , or drag them to your Mac's Trash Can.
You can check the security and patch availability status of many types of commonly installed software by routinely running the Secunia Online Software Inspector, which ironically runs on Java technology.
Now, go fix yourself a cup of Mocca Java and get busy updating Virtual Java on all of your computers (including Mac and Linux)!
If you like this article please share it.
The content on this blog may be reprinted provided you do not modify the content and that you give credit to Wizcrafts and provide a link back to the blog home page, or individual blog articles you wish to reprint. Commercial use, or derivative work requires written permission from the author.