Oracle releases new Java fixes, speeds up patching cycle

Oracle patches five more Java vulnerabilities that weren't fixed in a security update earlier in February

Oracle released new Java security updates on Tuesday and announced plans to accelerate the release of future Java patches following recent attacks that have infected computers with malware by exploiting zero-day vulnerabilities in Java browser plug-ins.

The new updates, Java 7 Update 15 and Java 6 Update 41, address five additional vulnerabilities that couldn't be included in the emergency Java update that Oracle released on Feb. 1 due to time constraints. At the time, Oracle broke out of its scheduled 4-month Java patching cycle in order to patch a vulnerability that was being actively exploited by hackers.

Four of the five vulnerabilities addressed in the Tuesday updates can be exploited through Java Web Start applications on desktops and Java applets in Internet browsers, Eric Maurice, Oracle's director of software assurance, said Tuesday in a blog post.

Three of those four vulnerabilities received the highest rating on the Common Vulnerability Scoring System scale -- 10 -- which means they are critical and can be exploited to completely compromise the confidentiality, integrity, and availability of systems where Java runs with administrator privileges, such as Windows XP. On systems where Java does not run with administrative privileges, such as Linux or Solaris, the impact is lower, Maurice said.

The fifth vulnerability affects server deployments of the Java Secure Socket Extension (JSSE) and stems from the Lucky Thirteen attack against SSL/TLS implementations that security researchers disclosed earlier this month.

Even though the new Java 6 Update 41 is available for download from Oracle's website, it is not available from Java.com and must be obtained manually. The updating feature in Java 6 installations will prompt users to download and install Java 7 Update 15.

This was a planned move from Oracle, which previously announced on its website that it will "start auto-updating all Windows 32-bit users from JRE 6 to JRE 7 with the update release of Java, Java SE 7 Update 15 (Java SE 7u15), due in February 2013."

Oracle will speed up its patching cycle for Java. "Oracle's intent is to continue to accelerate the release of Java fixes, particularly to help address the security worthiness of the Java Runtime Environment (JRE) in desktop browsers," Maurice said.

The next scheduled Critical Patch Update for Java SE will be released on April 16, two months from now instead of four, and will come at the same time as the Critical Patch Update for Oracle's non-Java products. The next Java patch update after that is scheduled for June 18.

Tags: patches, online safety, security, Exploits / vulnerabilities, Oracle

Michaels says breach at its stores affected nearly 3M payment cards

READ THIS ARTICLE
DO NOT SHOW THIS BOX AGAIN [ x ]
Comments are now closed.
CSO Corporate Partners
  • Webroot
  • Trend Micro
  • NetIQ
rhs_login_lockGet exclusive access to CSO, invitation only events, reports & analysis.
CSO Directory

ZENworks® Endpoint Security Management

Get powerful mobile security capabilities, and protect the data the various mobile devices inside your organization.

Latest Jobs
Security Awareness Tip

Incident handling is a vast topic, but here are a few tips for you to consider in your incident response. I hope you never have to use them, but the odds are at some point you will and I hope being ready saves you pain (or your job!).


  1. Have an incident response plan.

  2. Pre-define your incident response team 

  3. Define your approach: watch and learn or contain and recover.

  4. Pre-distribute call cards.

  5. Forensic and incident response data capture.

  6. Get your users on-side.

  7. Know how to report crimes and engage law enforcement. 

  8. Practice makes perfect.

For the full breakdown on this article

Security ABC Guides

Warning: Tips for secure mobile holiday shopping

I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.