Oracle rushes out another Java update, fixing 50 vulnerabilities

Oracle says Java 7u13 addresses 50 flaws, many of which left systems vulnerable to remote exploits.

Following disclosures by security researchers of vulnerabilities in the last update of Java released in January, Oracle has rushed out ahead of schedule another bundle of fixes for the programming language.

The latest update, originally scheduled for release on February 19, contains 50 security fixes for 49 flaws that were exploitable remotely without authorization. That means they can be used on a network without the knowledge of a username and password.

Oracle said it updated early because one of the vulnerabilities addressed in the update is already being exploited in the wild.

"Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible," the company warned in an update advisory.

Oracle rushed out a security fix for Java in January after the Department of Homeland Security's Computer Emergency Readiness Team (US-CERT) recommended the software be disabled by all its users because of security concerns. Those concerns involved a Zero Day vulnerability being exploited by toolkits created by cybercriminals and used to steal sensitive information from computers.

Even after release of that fix, Java 7 update 11, the agency still recommended turning off Java unless using it was absolutely necessary.

It rapidly became apparent that the 7u11 fix had missed its mark. Just days after its release a hacker began peddling in the online black market a pair of new Java Zero Day vulnerabilities for $5000 each.

Other hackers, perhaps lacking the skills to find vulnerabilities, began to exploit the headlines about Java's woes by mounting phishing expeditions offering fake updates of Oracle's programming language. After installation by a user, the fake update installs a back door to a system that allows a hacker to control it.

Flaws found in update

Java's misfortunes continued when later in the month Security Explorations, a Polish security firm with a history of finding security flaws in Java, discovered new vulnerabilities in the 7u11 update that could be exploited to avoid the program's sandbox--a programming technique used to isolate the damage malicious code can do to a system.

"These problems will continue until Oracle fixes the sandbox," Bitdefender Senior E-Threat Analyst Bogdan Botezatu said in an interview.

Botezatu was critical of how much Oracle relied put on users to maintain security in the 7u11 update.

For example, the update sets, by default, the highest security level for Java. At that level, whenever an unsigned  Java applet tries to run in a browser, a message pops up cautioning a user that the app may be dangerous and that the user should proceed at their own risk.

Typically, users ignore such warnings because they find them annoying. That's particularly true for children who play Java games on the Web--a fact, Botezatu points out, not lost on digital desperadoes. "I've seen lots of websites running Java malware on pages that have been optimized with keywords targeted at children," he said.

With the latest Java update, Oracle may be trying to change its luck with the program. It appears to have skipped update 12 in its numbering scheme and designated the latest bundle of fixes Java 7 update 13.

Join the CSO newsletter!

Error: Please check your email address.

Tags securityjavaOracle

More about CERT AustraliaOracle

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John P. Mello Jr.

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts