44 of these vulnerabilities only affect client deployment of Java (e.g., Java in Internet browsers). In other words, these vulnerabilities can only be exploited on desktops through Java Web Start applications or Java applets.
In addition, one vulnerability affects the installation process of client deployment of Java (i.e. installation of the Java Runtime Environment on desktops). Note also that this Critical Patch Update includes the fixes that were previously released through Security Alert CVE-2013-0422.
3 of the vulnerabilities fixed in this Critical Patch Update apply to client and server deployment of Java; that means that these vulnerabilities can be exploited on desktops through Java Web Start and Java applets in Browser, or in servers, by supplying malicious input to APIs in the vulnerable server components. In some instances, the exploitation scenario of this kind of bugs on servers is very improbable; for example, one of these vulnerabilities can only be exploited against a server in the unlikely scenario that the server was allowed to process image files from an untrusted source.
Finally, 2 of the vulnerabilities fixed in this Critical Patch Update only apply to server deployment of the Java Secure Socket Extension (JSSE).
Furthermore, to help mitigate the threat of malicious applets (Java exploits in internet browsers), Oracle has switched the Java security settings to high by default.
quote:In addition to a number of security in-depth fixes, the February 2013 Critical Patch Update for Java SE contains fixes for 50 security vulnerabilities. ... Furthermore, to help mitigate the threat of malicious applets (Java exploits in internet browsers), Oracle has switched the Java security settings to high by default.
I wonder how all these fixes play against the vulnerability in Java 7 update 11 revealed be security researcher Adam Gowdiak in his web posting on 27 Jan 2013, which indicated a significant vulnerability existed in Java allowing the Java Control Panel security setting to be bypassed for unsigned Java apps in a web browser. His disclosure is here: (SE-2012-01) An issue with new Java SE 7 security features...
quote:... What we found out and what is a subject of a new security vulnerability (Issue 53) is that unsigned Java code can be successfully executed on a target Windows system regardless of the four Java Control Panel settings described above. Our Proof of Concept code that illustrates Issue 53 has been successfully executed in the environment of latest Java SE 7 Update 11 (JRE version 1.7.0_11-b21) under Windows 7 OS and with "Very High" Java Control Panel security settings.
-- The American Republic will endure until the day Congress discovers that it can bribe the public with the public's money. A. de Tocqueville