News

42 Java Holes Fixed in Oracle Patch

Oracle released on Tuesday a critical security update for its Web-based Java programming language..

The patch, which targets 42 vulnerabilities -- 19 of which have a severity rating of 10 (highest possible threat level) -- includes a majority of vulnerabilities that are currently being exploited.

"This Critical Patch Update contains 42 new security fixes for Oracle Java SE," said Oracle in a pre-release bulletin. "39 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password."

April's update applies to JavaFX 2, Java Development Kit Java Runtime Environment 5, 6 and 7.

Along with the fixes, Oracle changed the default setting of Java SE. Java applets will no longer run in a Web browser unless they have been digitally signed until a warning prompt is acknowledged. It has also extended how users will be alerted of other Java-related security issues.

"Java 7 Update 21 also introduces some new security warnings and message prompts for users who keep the program plugged into a Web browser (on installation and updating, Java adds itself as an active browser plugin)," said Brian Krebs in a blog post. "Oracle said the messages that will be presented depend upon different risk factors, such as using old versions of Java or running applet code that is not signed from a trusted Certificate Authority."

Oracle also released this week a critical patch update for security issues in its other products. This week's patch targets over 120 vulnerabilities in 13 Oracle products. According to security expert Wolfgang Kandek, CTO of Qualys, Inc., IT's top concern should be applying the security updates for Oracle's middleware line.

"Oracle's Fusion product group has 29 vulnerabilities addressed, with a top score of 10," said wrote Kandek in an e-mailed comment. "Patch as quickly as possible. One of the vulnerabilities is in the Oracle Outside-In product, which is used by Microsoft Exchange server. It is scored at '6.8,' which means we will see an Exchange update in the near future."

Oracle's two security patches come after a rough security start for 2013. Along with having three exploits discovered by during the hacking contest at last month's CanSecWest security conference, the company was forced to push out a zero-day Java update after attackers used a flaw to hack Facebook, Microsoft and Apple in February.

While Oracle said that this week's security updates don't take care of all known flaws, they do address all known vulnerabilities currently being exploited in the wild.

About the Author

Chris Paoli is the site producer for Redmondmag.com and MCPmag.com.

Featured

  • Microsoft Warns IT Pros on Windows Netlogon Fix Coming Next Month

    Microsoft on Thursday issued a reminder to organizations to ensure that their systems are properly patched for a "Critical"-rated Windows Netlogon vulnerability before next month's "update Tuesday" patch distribution arrives.

  • Microsoft Nudging Skype for Business Users to Teams

    Microsoft on Thursday announced some perks and prods for Skype for Business unified communications users, with the aim of moving them to the Microsoft Teams collaboration service instead.

  • How To Improve Windows 10's Sound and Video Quality

    Windows 10 comes with built-in tools that can help users get the most out of their sound and video hardware.

  • Microsoft Offers More 'Solorigate' Advice Using Microsoft 365 Defender Tools

    Microsoft issued yet another article with advice on how to use its Microsoft 365 Defender suite of tools to protect against "Solorigate" advanced persistent threat types of attacks in a Thursday announcement.

comments powered by Disqus