A little over three months since the last update to Java, Oracle has released Java 6 update 26 for Windows, Linux and Solaris.
This update addresses 17 security vulnerabilities and one non-security-related bug. All 17 vulnerabilities allow remote code execution without authentication.
Oracle has rated nine of the flaws as a risk of ten out of ten. All but one of the vulnerabilities affect the Java Runtime Environment client software that runs in your browser.
We have seen great success among attackers using flaws in Java to exploit Windows computers, but also a broader experimentation with building malware that will run on Mac and Linux.
Unfortunately, Mac users will have to wait on Apple to release an update to address these flaws, as Oracle does not provide Java for OS X.
Windows, Linux and Solaris users can download the latest Java from http://java.com/en/download/manual.jsp?locale=en.
If you haven’t already, I recommend testing out your standard OS images without the Java plug-in. Most people aren’t using Java these days and it reduces the attack surface for exploits delivered over the internet.
Don’t confuse JavaScript with Java either; they are totally unrelated. Not installing the Java Runtime Environment (JRE) has no impact on your browser’s ability to render web pages that require JavaScript.
If you require Java, be sure that you deploy this update. If you aren’t sure it may be worth testing your images without it. The less software plugged into your browser, the harder it is for malcontents to exploit your users.