The attack complexity for the bug in Java SE, Java SE Embedded, and JRockit's JMX sub-component (CVE-2016-3427) is high, meaning the attacker requires perfect timing or circumstances other than user interaction in order to succeed. The vulnerability applies to both client- and server-side Java, as it can be exploited through sandboxed Java Web Start applications, sandboxed Java applets, and by supplying data to APIs not using Java sandboxes (a Web service).
The four critical vulnerabilities, if exploited successfully, would result in total information disclosure and give the attacker complete control over the targeted system.
Java applets are still around, especially in gaming, remote access tools, and educational software. The good news is that exploit kit writers seem to be ignoring Java vulnerabilities in favor of Adobe Flash. All of the top 10 vulnerabilities targeted by exploit kits during 2015 are related to Adobe Flash, according to NTT Group's latest global threat intelligence report.
Even so, don't ignore Java. Oracle pushed out an emergency update back in March for a critical flaw in both the desktop and browser plug-in versions. CVE-2016-0636, which affected Oracle Java SE 7u97, 8u73 and 8u74, scored a 9.3 on the CVSS 2.0. In this CPU, Oracle reminded affected users to apply the fixes if they haven't already done so.
It's already been a busy month, what with last week's Patch Tuesday updates from Microsoft and Adobe, the latest warnings about JBoss, and administrators still fixing the Badlock flaw in Samba. Don't delay too long applying all these patches, since attackers will find and take advantage of the security flaw that gets skipped over.
Sign up for CIO Asia eNewsletters.