Oracle Java 7 Update 25 Released - 40 vulnerabilities fixed
Java SE 7 Update 25
Download (Windows: 32-bit, 64-bit / OS X: 64-bit) / Release Notes / Security Advisory
Note. According to the release notes, this update will expire on 15th November 2013.
Due to the severity of the vulnerabilities fixed in this Critical Patch Update, Oracle recommends that these fixes be applied as soon as possible.
Oracle today released the June 2013 Critical Patch Update for Java SE. This Critical Patch Update provides 40 new security fixes. 37 of these vulnerabilities are remotely exploitable without authentication.
34 of the fixes brought with this Critical Patch Update address vulnerabilities that only affect client deployments. The highest CVSS Base Score for these client-only fixes is 10.0.
4 of the vulnerabilities fixed in this Critical Patch Update can affect client and server deployments. The most severe of these vulnerabilities has received a CVSS Base Score of 7.5.
One of the vulnerabilities fixed in this Critical patch Update affects the Java installer and can only be exploited locally.
Finally, one of the fixes included in this Critical Patch Update affects the Javadoc tool and the documents it creates. Some HTML pages that were created by any 1.5 or later versions of the Javadoc tool are vulnerable to frame injection. This means that this vulnerability (CVE-2013-1571, also known as CERT/CC VU#225657) can only be exploited through Javadoc-generated HTML files hosted on a web server. If exploited, this vulnerability can result in granting a malicious attacker the ability to inject frames into a vulnerable web page, thus allowing the attacker to direct unsuspecting users to malicious web pages through their web browsers. This vulnerability has received a CVSS Base Score of 4.3. With the release of this Critical Patch Update, Oracle has fixed the Javadoc tool so that it doesn't produce vulnerable pages anymore, and additionally produced a utility, the “Java API Documentation Updater Tool,” to fix previously produced (and vulnerable) HTML files. More information about this vulnerability is available on the CERT/CC web site at http://www.kb.cert.org/vuls/id/225657
Oracle recommends that this Critical Patch Update be applied as soon as possible because it includes fixes for a number of severe vulnerabilities. Note that the vulnerabilities fixed in this Critical Patch Update affect various components and, as a result, may not affect the security posture of all Java users in the same way. (Source