In its final Critical Patch Update of 2014, Oracle Corp. provided fixes for 154 total vulnerabilities across 14 of the software giant’s product lines; as usual, the most pressing updates involved the company’s long-maligned Java Runtime Environment.
“A single Java vulnerability, CVE-2014-6513, was given the highest CVSS rating of 10.0, making it the most severe bug patched in this release. “
John Matthew Holt, CTO at Java security vendor Waratek Ltd., based in Dublin, Ireland, said the vulnerability could be exploited by an attacker tricking a user into loading a specially crafted image, corrupting the Java VM’s memory in the process.
“[CVE-2014-6513] can be used to execute arbitrary injected code with the Java VM’s privileges,” said Holt. “In other words, this vulnerability can be used to achieve a complete compromise of the JVM, with full access to data and the execution state of the JVM.”