Oracle Releases Massive Patch for 43 Java Vulnerabilities
- By Chris Paoli
- April 17, 2013
Oracle made available for download a critical security update for its Web-based Java programming language on Tuesday.
The patch, which targets 42 vulnerabilities -- 19 of which have a severity rating of 10 (highest possible threat level) -- includes a majority of vulnerabilities that are currently being exploited.
"This Critical Patch Update contains 42 new security fixes for Oracle Java SE," said Oracle in a pre-release bulletin. "39 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password."
April's update applies to JavaFX 2, Java Development Kit Java Runtime Environment 5, 6 and 7.
Along with the fixes, Oracle changed the default setting of Java SE. Java applets will no longer run in a Web browser unless they have been digitally signed until a warning prompt is acknowledged. It has also extended how users will be alerted of other Java-related security issues.
"Java 7 Update 21 also introduces some new security warnings and message prompts for users who keep the program plugged into a Web browser (on installation and updating, Java adds itself as an active browser plugin)," said Brian Krebs in a blog post. "Oracle said the messages that will be presented depend upon different risk factors, such as using old versions of Java or running applet code that is not signed from a trusted Certificate Authority."
Oracle also released this week a critical patch update for security issues in its other products. This week's patch targets over 120 vulnerabilities in 13 Oracle products. According to security expert Wolfgang Kandek, CTO of Qualys, Inc., IT's top concern should be applying the security updates for Oracle's middleware line.
"Oracle's Fusion product group has 29 vulnerabilities addressed, with a top score of 10," said wrote Kandek in an e-mailed comment. "Patch as quickly as possible. One of the vulnerabilities is in the Oracle Outside-In product, which is used by Microsoft Exchange server. It is scored at '6.8,' which means we will see an Exchange update in the near future."
Oracle's two security patches come after a rough security start for 2013. Along with having three exploits discovered by during the hacking contest at last month's CanSecWest security conference, the company was forced to push out a zero-day Java update after attackers used a flaw to hack Facebook, Microsoft and Apple in February.
While Oracle said that this week's security updates don't take care of all known flaws, they do address all known vulnerabilities currently being exploited in the wild.