Emergency Java Fix for 50 Flaws Released
Update 13 for Java 7 and Update 39 for Java 6 was released today by Oracle. The security update, which was originally scheduled for February 19, was pushed through today because the vulnerabilities in question were being actively exploited in the wild.
"After receiving reports of a vulnerability in the Java Runtime Environment (JRE) in desktop browsers, Oracle quickly confirmed these reports, and then proceeded with accelerating normal release testing around the upcoming Critical Patch Update distribution, which already contained a fix for the issue," said Oracle in the company's security update release blog. "Oracle felt that, releasing this Critical Patch Update two weeks ahead of our intended schedule, instead of releasing a one-off fix through a Security Alert, would be more effective in helping preserve the security posture of Java customers."
Today's security update addresses 50 security issues; 44 found in the client deployed versions of Java, three in the client and server deployment of Java, two in the server-related Java Secure Socket Extension (JSSE) and one in the installation process of Java Runtime Environment.
Breaking it down, that means all but the installation error can be remotely exploited if unpatched, and, according to Oracle's Java SE Risk Matrix, 35 of the flaws scored a 10.0 -- the highest severity score possible for vulnerabilities based on the ease of exploitation.
For those running Windows, it is recommended that you uninstall the earlier versions of Java before updating.
Apple took steps to protect its Mac OS users yesterday by "blacklisting" all current versions of Java. This means that until an updated version of Java is released, which Apple distributes to Mac customers, the use of the Web plugin will be disabled.
Apple has yet to release information on when the updated version of Java will be available for Mac users.