Threat of the month: Java vulnerabilities
Threat of the month: Credentials theft
What is it?
Multiple vulnerabilities have been reported in Oracle Java versions prior to 7 Update 51, whereas several of them are remote code execution vulnerabilities. These vulnerabilities can allow an attacker full access to an affected system.
How does it work?
These vulnerabilities mostly reflect the same types as we saw the last time Java was patched. It is important to note that some of these issues can be leveraged by simply persuading a user into visiting a web page that contains malicious Java content.
Should I be worried?
Yes, you should always be concerned about vulnerabilities in such a mainstream product, where attackers need to perform less work to hit a higher amount of victims. We are bound to see the vulnerabilities beginning to surface in frameworks such as Metasploit. Users should show caution when visiting untrusted web sites if their systems are not fully patched.
How can I prevent it?
Oracle has issued version 7 Update 51, which fixes the vulnerabilities and any system using an older version should update to this version. Users should also always remove older versions of Java on their devices, when they have updated to the new, secure version.
Source: Kasper Lindgaard, head of research, Secunia