News

Oracle Updating Recent Java Fix

Oracle announced that the out-of-band patch released earlier in the month to fix 50 vulnerabilities in Java will be updated with a number of addendums that did not make it to the unscheduled release.

"As a result of the accelerated release of the Critical Patch Update, Oracle did not include a small number of fixes initially intended for inclusion in the February 2013 Critical Patch Update for Java SE," said Oracle's Eric Maurice in a released statement.  "Oracle is therefore planning to release an updated version of the February 2013 Critical Patch Update on the initially scheduled date."

Due the Feb. 1 release of the out-of-band patch, Oracle said that it was skipping its previous Feb. 19 scheduled security update. However, due to the additions, the updated security patch is now scheduled for the previously announced Feb. 19 date.

While the changes and additions are unknown, Oracle said that due to all of Java's security patches being cumulative, those that didn't update the out-of-band patch can either update now or wait until the newer version is released.

In other Java security news, customers are being warned of a rouge malware in the wild that disguises itself as a legitimate Java update. If clicked, the downloader will install harmful malware instead of a Java security update.

"The Java security update is a type of social engineering," said Kevin Haley, director of Symantec Security Response to eWeek. "It's unrelated to the vulnerability; it's just a way to get people to click on the attachment."

Security experts said that those running up-to-date security software should be protected, but if you have recently downloaded what you thought to be a security update from Java, it is recommended that you run a full system scan.

About the Author

Chris Paoli (@ChrisPaoli5) is the associate editor for Converge360.