Feeds

Oracle slaps critical patch on insecure Java

Tries to educate users about potential dangers of in-browser Java apps

Top 5 reasons to deploy VMware with Tegile

Oracle has issued a critical update patch for Java as the database giant works to shore up confidence in the widely used code.

The security update fixes 42 security flaws, 19 of which merit a 10 (most severe) rating acording to the CVVS metric the company uses to evaluate the software. Along with this, Oracle has also sought to give users more information about the Java apps that want to execute code within the browser.

The patch comes at a time when many security pros are questioning the value of Java, with many seeing its presence in user's browsers as a liability rather than a benefit.

Of the 42 security flaws patched by Oracle in April, 39 of them "may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password," Oracle wrote in the patch notes.

The most severe vulnerabilities exploit problems in the 2D, Deployment, Hotspot, Install, JAXP, JavaFX, RMI, Libraries and Beans sub-components of the Java runtime environment.

The majority of these exploits apply to client Java deployments, and can only be exploited through untrusted Java Web Start applications, and untrusted applets.

The vulnerabilities affect JDK and JRE 5.0, 6 and 7, along with JavaFX 2.2.7. "Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible," the company said.

Alongside the patch fixes, Oracle is also rolling out an update (Java 7 Update 21) that lets the plugin more clearly telegraph to users when it could potentially be dangerous to let Java code be executed in their browsers (not all the time? – Ed).

Low-risk apps will cause a simple message to be displayed, while high-risk apps will be indicated by either an exclamation mark within a yellow triangle (applications with untrusted or expired certificates), or a yellow shield (applications with unsigned and/or invalid certificates)

This patch follows a rather insecure three months for Java: In January, Oracle admitted that Java's security was less than perfect, saying at the time that its grand plan for Java security was to fix it and communicate its security efforts more widely.

In February, a zero day flaw in Java was exploited to let unscrupulous types gnaw at the innards of major companies like Apple, Facebook, and Microsoft. In March, Oracle was forced to issue another emergency patch to deal with another zero day.

We can only wonder what May could bring... ®

Beginner's guide to SSL certificates

More from The Register

next story
'Regin': The 'New Stuxnet' spook-grade SOFTWARE WEAPON described
'A degree of technical competence rarely seen'
You really need to do some tech support for Aunty Agnes
Free anti-virus software, expires, stops updating and p0wns the world
You stupid BRICK! PCs running Avast AV can't handle Windows fixes
Fix issued, fingers pointed, forums in flames
Regin: The super-spyware the security industry has been silent about
NSA fingered as likely source of complex malware family
Privacy bods offer GOV SPY VICTIMS a FREE SPYWARE SNIFFER
Looks for gov malware that evades most antivirus
Patch NOW! Microsoft slings emergency bug fix at Windows admins
Vulnerability promotes lusers to domain overlords ... oops
HACKERS can DELETE SURVEILLANCE DVRS remotely – report
Hikvision devices wide open to hacking, claim securobods
prev story

Whitepapers

Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
10 threats to successful enterprise endpoint backup
10 threats to a successful backup including issues with BYOD, slow backups and ineffective security.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
The Heartbleed Bug: how to protect your business with Symantec
What happens when the next Heartbleed (or worse) comes along, and what can you do to weather another chapter in an all-too-familiar string of debilitating attacks?