Oracle released an out-of-band security update for Java SE. Security Alert CVE-2012-4681 addresses three distinct but related critical vulnerabilities and one security-in-depth issue affecting Java running in desktop browsers.
These vulnerabilities may be remotely exploitable without authentication. In other words, the vulnerabilities may be exploited over a network without the need for a username and password merely by visiting a malicious web page with an unpatched version of Java.
Affected versions:
- JDK and JRE 7 Update 7 and earlier
- JDK and JRE 6 Update 34 and earlier
Although Java is not required (See Do You Need Java?), if you do have Java installed on your computer, it is advisable to install the latest update. It is also advised that all prior (and vulnerable) versions of Java SE be uninstalled from your computer.
Instructions on removing older (and less secure) versions of Java can be found at http://java.com/en/download/faq/remove_olderversions.xml
Download Information
Now that Java SE 7 has been officially released, it is recommended that users of Java SE 6 upgrade to the latest version. When you upgrade from Java SE 6 to Java SE7 please check installed program files and remove all versions of Java SE 6.As of this posting, Java SE 7u7 is only available from this link: http://java.com/en/download/index.jsp
Verify your version: http://www.java.com/en/download/testjava.jsp
Note: UNcheck any pre-checked toolbar and/or software options presented with the update. They are not part of the software update and are completely optional.
Critical Patch Updates
For Oracle Java SE Critical Patch Updates, the next scheduled dates are:- 16 October 2012
- 19 February 2013
References
- Java SE 6 Update Release Notes
- Java SE 7 Update Release Notes
- Critical Patch Updates, Security Alerts and Third Party Bulletin
- Security Alert for CVE-2012-4681 Released