42 Java Holes Fixed in Oracle Patch

Oracle released on Tuesday a critical security update for its Web-based Java programming language..

The patch, which targets 42 vulnerabilities -- 19 of which have a severity rating of 10 (highest possible threat level) -- includes a majority of vulnerabilities that are currently being exploited.

"This Critical Patch Update contains 42 new security fixes for Oracle Java SE," said Oracle in a pre-release bulletin. "39 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password."

April's update applies to JavaFX 2, Java Development Kit Java Runtime Environment 5, 6 and 7.

Along with the fixes, Oracle changed the default setting of Java SE. Java applets will no longer run in a Web browser unless they have been digitally signed until a warning prompt is acknowledged. It has also extended how users will be alerted of other Java-related security issues.

"Java 7 Update 21 also introduces some new security warnings and message prompts for users who keep the program plugged into a Web browser (on installation and updating, Java adds itself as an active browser plugin)," said Brian Krebs in a blog post. "Oracle said the messages that will be presented depend upon different risk factors, such as using old versions of Java or running applet code that is not signed from a trusted Certificate Authority."

Oracle also released this week a critical patch update for security issues in its other products. This week's patch targets over 120 vulnerabilities in 13 Oracle products. According to security expert Wolfgang Kandek, CTO of Qualys, Inc., IT's top concern should be applying the security updates for Oracle's middleware line.

"Oracle's Fusion product group has 29 vulnerabilities addressed, with a top score of 10," said wrote Kandek in an e-mailed comment. "Patch as quickly as possible. One of the vulnerabilities is in the Oracle Outside-In product, which is used by Microsoft Exchange server. It is scored at '6.8,' which means we will see an Exchange update in the near future."

Oracle's two security patches come after a rough security start for 2013. Along with having three exploits discovered by during the hacking contest at last month's CanSecWest security conference, the company was forced to push out a zero-day Java update after attackers used a flaw to hack Facebook, Microsoft and Apple in February.

While Oracle said that this week's security updates don't take care of all known flaws, they do address all known vulnerabilities currently being exploited in the wild.

About the Author

Chris Paoli is the site producer for and


  • Azure DevOps Server 2019 Now at Release Candidate 2

    Microsoft released Azure DevOps Server 2019 Release Candidate 2 (RC2), according to a Tuesday announcement.

  • Cloud IT Infrastructure Spending Starting To Take the Lead

    IDC this month published findings on revenues from cloud IT infrastructure spending in the third quarter of 2018, based on server, storage and Ethernet switch sales.

  • How To Run Oculus Rift Apps in Windows Mixed Reality, Part 1

    A lack of apps has been the biggest thorn in the side of Microsoft's mixed reality efforts. One way to get around it is to use apps that were designed for Oculus Rift instead.

  • Windows 10 Mobile To Fall Out of Support in December

    Microsoft will end support for the Windows 10 Mobile operating system on Dec. 10, 2019, according to an announcement.

comments powered by Disqus
Most   Popular

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.