Oracle fixes zero-day Java flaw and over 190 other vulnerabilities

Users should update Java as soon as possible because attackers are already taking advantage of at least one vulnerability

Illustration of security online

Illustration of security online

Go ahead and update Java -- or disable it if you don't remember the last time you actually used it on the Web: Oracle's latest patch, released Tuesday, fixes 25 vulnerabilities in the aging platform, including one that's already being exploited in attacks.

In addition to Java, Oracle also updated a wide range of other products, fixing a total of 193 vulnerabilities, 44 stemming from third-party components.

The patched products include Oracle Database, Oracle Fusion Middleware, Oracle Hyperion, Oracle Enterprise Manager, Oracle E-Business Suite, Oracle Supply Chain Suite, Oracle PeopleSoft Enterprise, Oracle Siebel CRM, Oracle Communications Applications, Oracle Java SE, Oracle Sun Systems Products Suite, Oracle Linux and Virtualization, and Oracle MySQL.

Oracle released Java 8 Update 51, Java 7 Update 85 and Java 6 Update 101. However, only the Java 8 update is publicly available, because general support for Java 7 and Java 6 ended some time ago. Only customers with extended support contracts continue to get access to security patches for those versions.

Out of the 25 vulnerabilities fixed in Java, 23 can be exploited remotely without authentication. Sixteen flaws affect only the client deployment and five affect both client and server deployments.

One fix is specific to the Mac platform and four fixes are for the Java Secure Socket Extension (JSSE), said Eric Maurice, director of software security assurance at Oracle, in a blog post.

The most high-risk vulnerability fixed in this Java update is known as CVE-2015-2590 and had zero-day status until this update. This means attackers were already exploiting it while no fix was available.

An exploit for this vulnerability was recently uncovered by researchers from Trend Micro in attacks that targeted at the very least the armed forces of an unnamed NATO country and a U.S. defense organization.

The attacks were launched by a cyberespionage group known as Pawn Storm or APT28 that is believed to have ties to Russia's intelligence services. The group has been active since 2007 and typically targets military, government and media organizations.

While Java is still widely used for Web-based applications in business environments, it's rarely seen on consumer-oriented websites today. Therefore, many users don't need the Java browser plug-in, which is the target of the majority of Java exploits.

Manually removing or disabling Java from every browser installed on a computer is possible, but the plug-in might get re-enabled with the next Java update. And uninstalling the Java runtime completely from the system is often not viable, because there are still popular desktop applications that need it.

Fortunately, Oracle added an option in the Java control panel that serves as a central place to disable support for Java-based content across all browsers.

For companies that do need Java support on the Web, defending against zero-day exploits can be a bit more complicated. However, there are options to significantly reduce the likelihood of attacks.

Internet Explorer has a feature that administrators can use to restrict which websites are allowed to load Java content, like only those hosting relevant business applications. And browsers like Mozilla Firefox and Google Chrome have a click-to-play option that can be used to prevent the automatic execution of Web-based Java content.

Join the CSO newsletter!

Error: Please check your email address.

Tags patchesintrusiononline safetytrend microsecuritypatch managementExploits / vulnerabilitiesOracle

More about GoogleLinuxMozillaMySQLNATOOraclePeopleSoftSocketTrend Micro

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place