No known security vulnerabilities fixed this month, just bug fixes, official support for the latest web browsers, Windows 7 SP1 & 2008 R2 SP1 and performance improvements - which may (or may not?) be useful for MineCraft. .

Download (Direct Links: 32-bit / 64-bit) / Release Notes / Bug Fixes

Highlights
This update release contains important enhancements for Java applications:

  • Improved performance and stability
  • Java HotSpot™ VM 20
  • Support for Internet Explorer 9, Firefox 4, Chrome 10, VirtualBox 4 and Windows 7 SP1 / 2008 R2 SP1
  • Improved BigDecimal (30% faster)

Bug Fixes
Java SE 6u25 does not add any fixes for security vulnerabilities beyond those in Java SE 6u24. Users who have Java SE 6u24 have the latest security fixes and do not need to upgrade to this release to be current on security fixes.
Also worth mentioning (since it is Java related) is that Google Chrome 11 and 12 now feature a new "infobar" which appears whenever a website tries to run the Java plug-in. As explained below, this is designed to help prevent getting infected via drive-by malware downloads caused by Java exploits.



Over the past couple versions, Google has implemented various features in Chrome designed to increase the plug-in security. The internal Flash player was added and fully sandboxed, out-of-date plugin blocking was added, click-to-play appeared in about:flags, and the content settings page of Chrome's options tab introduced plug-in blocking and whitelisting.

Now Google is taking things a step further. Chrome now requires permission to run both the Java and QuickTime plug-ins. In a rather heated Chromium issue discussion, developer Chris Evans explains the reasoning behind the change. It's all about protecting users, he says, since as many as 3/4 of computers run Java and yet only a handful ever use it on a regular basis (he pins the estimate at around 5%). By requiring users to authorize on a per-site or per-launch basis, the hope is to reduce drive-by malware attacks which use Java and Quicktime as a vector.

Other developers take issue with the decision, noting that many may find the notification bar annoying. In truth, though, users who actually need to run Java on a site like F-Secure's online malware scanner need only authorize a particular domain once if they choose.

It seems like a fair trade off, since other plug-ins can't be shoehorned into Chrome's sandbox the same way Flash has been. (Source)