Yesterday was not only Microsoft’s Patch Tuesday but Oracle also provided a new version of its Java software that addresses a total of 14 vulnerabilities. Currently Java’s most common version (Java 6) has five vulnerabilities that are critical. They all have a CVSS score above 9, indicating that they can be exploited through the network without authentication and are capable of providing remote control to the attacker.
We recommend installing this update as quickly as possible, as Java is frequently used as an initial access method in web-borne attacks.
Also yesterday Adobe released a new version of their Shockwave player that addresses nine vulnerabilities. While not quite a popular as Adobe Flash it has a large installed base and has seen its share of use in web based attacks. The new player is available for both Windows and Mac OS X.
Both enterprise and home users can use Qualys' BrowserCheck tool for a quick verification to see if their version of Java or Shockwave is outdated.