42 Java Holes Fixed in Oracle Patch -- Redmondmag.com

42 Java Holes Fixed in Oracle Patch

By Chris Paoli
04/17/2013

Oracle released on Tuesday a critical security update for its Web-based Java programming language..

The patch, which targets 42 vulnerabilities -- 19 of which have a severity rating of 10 (highest possible threat level) -- includes a majority of vulnerabilities that are currently being exploited.

"This Critical Patch Update contains 42 new security fixes for Oracle Java SE," said Oracle in a pre-release bulletin. "39 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password."

April's update applies to JavaFX 2, Java Development Kit Java Runtime Environment 5, 6 and 7.

Along with the fixes, Oracle changed the default setting of Java SE. Java applets will no longer run in a Web browser unless they have been digitally signed until a warning prompt is acknowledged. It has also extended how users will be alerted of other Java-related security issues.

"Java 7 Update 21 also introduces some new security warnings and message prompts for users who keep the program plugged into a Web browser (on installation and updating, Java adds itself as an active browser plugin)," said Brian Krebs in a blog post. "Oracle said the messages that will be presented depend upon different risk factors, such as using old versions of Java or running applet code that is not signed from a trusted Certificate Authority."

Oracle also released this week a critical patch update for security issues in its other products. This week's patch targets over 120 vulnerabilities in 13 Oracle products. According to security expert Wolfgang Kandek, CTO of Qualys, Inc., IT's top concern should be applying the security updates for Oracle's middleware line.

"Oracle's Fusion product group has 29 vulnerabilities addressed, with a top score of 10," said wrote Kandek in an e-mailed comment. "Patch as quickly as possible. One of the vulnerabilities is in the Oracle Outside-In product, which is used by Microsoft Exchange server. It is scored at '6.8,' which means we will see an Exchange update in the near future."

Oracle's two security patches come after a rough security start for 2013. Along with having three exploits discovered by during the hacking contest at last month's CanSecWest security conference, the company was forced to push out a zero-day Java update after attackers used a flaw to hack Facebook, Microsoft and Apple in February.

While Oracle said that this week's security updates don't take care of all known flaws, they do address all known vulnerabilities currently being exploited in the wild.

About the Author

Chris Paoli (@ChrisPaoli5) is the associate editor for Converge360.

Featured

Cisco Warns of Brute Force Attacks Targeting VPNs and Firewalls

Cisco has revealed that a global increase in brute force attacks targeting Virtual Private Networks (VPNs) and other devices is currently taking place.
What's Inside Microsoft 365's Security Toolbox?

Microsoft provides plenty of native tools to secure Microsoft 365. IT pros just have to know where to look.
Microsoft Kills 30-Day Data Retention Policy for Copilot in Fabric

Microsoft this week announced several usability improvements coming to Copilot in Fabric in preparation of its general availability release later this year.
Using Microsoft Office to Build a Network Diagram 2

Now that we've set up our process, let's dig in with the actual execution.
Microsoft Graph 'Activity Logs' Feature Goes Live

Microsoft announced the general availability of the "activity logs" capability in Microsoft Graph, giving administrators more options to track user activity and identify patterns of potential misuse.