If you’re like 80 percent of all web users, chances are that you’re running Java. Have you updated to the latest version yet?
Yesterday, Sun released Java 6 Update 17, fixing multiple vulnerabilities.
Among the issues fixed by Sun is a command execution vulnerability in the Java Runtime Environment
Deployment Toolkit. According to Sun’s advisory on the issue, the vulnerability could potentially be leveraged to execute arbitrary code.
There is also critical fix for a vulnerability in the Java Web Start Installer which potentially could enable an untrusted Java app to run as trusted and then run whatever code it wants.
Update 17, also addresses what Sun refers to as, “Multiple buffer and integer overflow vulnerabilities in the Java Runtime
Environment”. The overflow vulnerabilities could potentially lead to a privilege escalation attack.
From my perspective, there is one other key vulnerability that Sun is addressing with this update. It has to do with the actual Java update mechanism. Many (if not most) users have their Java installations automatically checking Sun’s server periodically for updates. According to Sun, it didn’t always work.