Oracle updates Java 7 after Apple’s browser plugin block

Oracle on Friday released its February critical patch update for Java 7 two weeks ahead of schedule and days after Apple blocked it for the second time in a month.

The critical Java SE 7 Update 13 fixes 50 vulnerabilities, including one affecting the Java Runtime Environment (JRE) in desktop browsers that was being exploited by hackers.

The attacks prompted Oracle to “accelerate” its usual testing procedures and release the full monthly update two weeks ahead of the February 19 schedule. 

“Oracle felt that, releasing this Critical Patch Update two weeks ahead of our intended schedule, instead of releasing a one-off fix through a Security Alert, would be more effective in helping preserve the security posture of Java customers,” Eric Maurice, Oracle’s director of software security assurance explained in a blog post on Friday.

The company noted that 49 of the flaws are vulnerable to remote exploits without authentication. Forty four affect Java in desktop browsers only and three affect Java in desktop browsers and servers.

The browser flaws can be exploited by untrusted Java applets and Java Web Start applications, while server side flaws can be exploited by supplying malicious data to APIs in vulnerable server components of the server.

In addition, one flaw impacts JRE desktop installation processes and two impact server deployments of Java Secure Sockets Extension.  

The release came days after Apple used its anti-malware feature Xprotect to block the latest version of Java 7 update 11 web plugin, marking the second time in had taken the measure in January.

The move by Apple appeared to have been to protect users from attacks against the vulnerabilities, however the lack of warning caught some businesses that use Mac and enterprise applications built on Java by surprise.

Oracle’s Maurice said the company will begin patch security flaws faster in future, noting that it was such a popular target for hackers because attacks on Java in browsers was OS-independent.

“The size of this Critical Patch Update, as well as its early publication, demonstrate Oracle’s intention to accelerate the release of Java fixes, particularly to help address the security worthiness of the Java Runtime Environment (JRE) in desktop browsers,” he said.

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Tags hackersVulnerabilitiesjava 7Eric MauricesecurityexploitsJava SE7authenticationOracleApple

Comments

Comments are now closed

CSO Corporate Partners
  • f5
  • Webroot
  • Trend Micro
  • NetIQ
rhs_login_lockGet exclusive access to CSO, invitation only events, reports & analysis.
CSO Directory

Fraud Management Solutions

Reduce fraud losses regardless of channel by preventing cybercrime, identity theft, and other threats targeting your customers.

Security Awareness Tip
Security ABC Guides

Warning: Tips for secure mobile holiday shopping

I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.