Oracle updates Java 7 after Apple’s browser plugin block

  • Liam Tung (CSO Online)
  • — 04 February, 2013 10:13

Oracle on Friday released its February critical patch update for Java 7 two weeks ahead of schedule and days after Apple blocked it for the second time in a month.

The critical Java SE 7 Update 13 fixes 50 vulnerabilities, including one affecting the Java Runtime Environment (JRE) in desktop browsers that was being exploited by hackers.

The attacks prompted Oracle to “accelerate” its usual testing procedures and release the full monthly update two weeks ahead of the February 19 schedule. 

“Oracle felt that, releasing this Critical Patch Update two weeks ahead of our intended schedule, instead of releasing a one-off fix through a Security Alert, would be more effective in helping preserve the security posture of Java customers,” Eric Maurice, Oracle’s director of software security assurance explained in a blog post on Friday.

The company noted that 49 of the flaws are vulnerable to remote exploits without authentication. Forty four affect Java in desktop browsers only and three affect Java in desktop browsers and servers.

The browser flaws can be exploited by untrusted Java applets and Java Web Start applications, while server side flaws can be exploited by supplying malicious data to APIs in vulnerable server components of the server.

In addition, one flaw impacts JRE desktop installation processes and two impact server deployments of Java Secure Sockets Extension.  

The release came days after Apple used its anti-malware feature Xprotect to block the latest version of Java 7 update 11 web plugin, marking the second time in had taken the measure in January.

The move by Apple appeared to have been to protect users from attacks against the vulnerabilities, however the lack of warning caught some businesses that use Mac and enterprise applications built on Java by surprise.

Oracle’s Maurice said the company will begin patch security flaws faster in future, noting that it was such a popular target for hackers because attacks on Java in browsers was OS-independent.

“The size of this Critical Patch Update, as well as its early publication, demonstrate Oracle’s intention to accelerate the release of Java fixes, particularly to help address the security worthiness of the Java Runtime Environment (JRE) in desktop browsers,” he said.

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Tags: hackers, Vulnerabilities, java 7, Eric Maurice, security, exploits, Java SE7, authentication, Oracle, Apple

Data breaches can be traced back to nine attack 'patterns', says Verizon report

READ THIS ARTICLE
DO NOT SHOW THIS BOX AGAIN [ x ]
Comments are now closed.
CSO Corporate Partners
  • Webroot
  • Trend Micro
  • NetIQ
rhs_login_lockGet exclusive access to CSO, invitation only events, reports & analysis.
CSO Directory

Webroot SecureAnywhere Business

The lightest, fastest, easiest-to-manage, and most effective endpoint protection.

Latest Jobs
Security Awareness Tip

Incident handling is a vast topic, but here are a few tips for you to consider in your incident response. I hope you never have to use them, but the odds are at some point you will and I hope being ready saves you pain (or your job!).


  1. Have an incident response plan.

  2. Pre-define your incident response team 

  3. Define your approach: watch and learn or contain and recover.

  4. Pre-distribute call cards.

  5. Forensic and incident response data capture.

  6. Get your users on-side.

  7. Know how to report crimes and engage law enforcement. 

  8. Practice makes perfect.

For the full breakdown on this article

Security ABC Guides

Warning: Tips for secure mobile holiday shopping

I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.