According to the company, 19 of the flaws affecting the Java Runtime Environment could be exploited remotely over a network without the need for a username and password. Eight of the flaws have the highest score of 10 on the company’s common vulnerability scoring system.
Oracle strongly recommended that customers apply fixes “as soon as possible” due to the “threat posed by a successful attack.”
Oracle security blogger Eric Maurice said that out of the 21 flaws, 13 affect Java client deployments, of which 12 can be exploited through untrusted Java Web Start applications and untrusted Java Applets, which run in the Java sandbox with limited privileges. One of these flaws can be exploited by running a standalone application.
Maurice went on to note that three of the 21 vulnerabilities affect Java server deployments only. These flaws can be exploited by supplying malicious data to APIs in the specified components, such as a web service. One of these flaws was the subject of a security alert sent out Feb. 8, he noted.
A recent report by Cisco found that in 2010 Java was three and a half times more exploited than Adobe PDF. “Even though Adobe received the lion’s share of attention, because of exploits targeting Adobe Reader and Acrobat, the reality is that exploits of Java caused a lot more problems over the year”, noted Mary Landesman, Cisco senior security threat researcher.