Saturday, April 17, 2010

Java: Oracle Security Alert CVE-2010-0886

Like me, you've probably been prompted multiple times in recent days/weeks to install a new version of the JRE on your favorite machine hosting Java. The principal reason for the latest version, Java 6 Update 20, is related to Oracle Security Alert CVE-2010-0886. Specifically, the update addresses "vulnerabilities in desktop Java running in [32-bit] web browsers."

The previously cited Oracle Security Alert CVE-2010-0886 states, "Oracle strongly recommends that customers upgrade to these releases as soon as possible." The download page for Java 6 Update 20 states, "This release contains critical security updates to the Java runtime." I think this is a good time to download the full Java 6 Update 20 SDK.

In WebStart Changes Between 6u17 to 6u20: Signed Applications Almost Impossible, Johan Compagner writes about issues his organization is seeing with their products and these updates. The comments on this post are good and include a link to this forum thread with the title "Security update breals A LOT OF STUFF!"

A recent ITworld article Nifty Java Bug Could Lead to Attack summarizes Tavis Ormandy's recent post Java Deployment Toolkit Performs Insufficient Validation of Parameters. It's time for me to go download Java 6 Update 20 SDK via Java Web Start JNLP.

No comments: