Last week, Oracle released a Critical Patch Update, which included 127 new security fixes for the Oracle ecosystem of products, including Java SE, amongst others. There were 51 critical security fixes for Java, which affects both client and server deployments.
Included in Java's 51 security fixes are patches to 50 vulnerabilities that are remotely exploitable without authentication. Of those 50 vulnerabilities, 10 of them were assigned a Common Vulnerability Scoring System (CVSS) base score of 10.0, which denotes the highest measure of risk for vulnerabilities defined by the scoring system. This particular subset of vulnerabilities are able to facilitate a “complete takeover of the targeted system (down to the operating system)”, giving attackers the ability to run code on a compromised host in a privileged context.
Many of the vulnerabilities directly affect Java’s client-side runtime environment, including Java’s browser plugin, which allows Java code to be run on a client machine by visiting a website with an embedded application. For the batch of security fixes in the update, 40 of them were specific to client-side execution of code through applets or WebStart. In its release notes, Oracle made note, however, that of the 10 vulnerabilities with CVSS scores of 10.0, 8 of them are applicable to both client and server deployments.
Java’s core architecture defines four distinct layers of abstraction for code execution, which afford the popular language its “Write Once, Run Anywhere” programming paradigm. The top layer is the “Java Application” layer, where application code is written and interfaces with the “Java Runtime” layer, which includes the core code, application security protocols, and libraries for the programming language. The runtime layer, in turn, interfaces with the “Native Layer”, which is responsible for abstracting execution to the base layer, the operating system. The high-scoring vulnerabilities addressed by this update have the ability to target the “Native Layer”, therein bypassing security measures that are in-place at the runtime layer. Exploits that take advantage of native layer vulnerabilities are able to execute code with the operating system, by assuming the privileges of the user or service running the Java process.
Earlier this year, Oracle announced that starting this month, Java SE security fixes and updates will be rolled out with Oracle’s product ecosystem-wide Critical Patch Updates. The so-called “CPUs” are released quarterly, giving Java four annual opportunities for security releases going forward. Oracle says they will also retain the ability to issue emergency security fixes through the Security Alert program. This month's Critical Patch Update makes for the eighth update to Java in 2013.