Oracle has announced that it will issue Critical Patch Update for Java SE next Tuesday, June 7. The update will contain 17 new security fixes for serious vulnerabilities: according to Oracle,
All these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.
These versions of Java are affected by this update:
- JDK and JRE 6 Update 25 and earlier for Windows, Solaris, and Linux
- JDK and JRE 5.0 Update 29 and earlier for Windows, Solaris and Linux
- SDK and JRE 1.4.2_31 and earlier for Windows, Solaris and Linux
As many vendors do, Oracle rates the severity of vulnerabilities using the Common Vulnerability Scoring System [CVSS], which ranks vulnerabilities on a scale of 0 to 10, where 10 is most severe, based on a number of factors. The maximum rating for the vulnerabilities to be fixed in this update is 10.0. (Oracle has a page describing their use of CVSS. The Forum of Incident Response and Security Teams [FIRST] has, on its site, a very thorough description of CVSS )
Because of the severity of these vulnerabilities, and the popularity of Java as an attack vector, I recommend you install these updates as soon as you can, after they are released next Tuesday. This assumes, of course, that you have Java installed on your system; see this post for a discussion of whether you should keep it there.