SecurityWorkspace

Oracle Patches 50 Java Flaws

Editor of eWEEK and repository of knowledge on storage, amongst other things

Follow on: Google +

Oracle has expedited a set of patches scheduled for later this month and released 50 fixes to licensees

Oracle, beset by pressures to mitigate holes in Java 7 Update 13 that have been abused by hackers, expedited a patch set scheduled for later this month and released a whopping 50 fixes to licensees on 1 February.

A critical Java update was originally scheduled for 19 February, but because at least one of the vulnerabilities is being actively exploited and causing problems, Oracle decided to move up the patch update.

Desktop exploitation

Oracle said 44 of 50 vulnerabilities only affect Java in browsers, which means they can only be exploited on desktops through Java Web Start applications or Java applets.

java spill breach“The popularity of the Java Runtime Environment in desktop browsers, and the fact that Java in browsers is OS-independent, makes Java an attractive target for malicious hackers,” Oracle Global Technology Business Unit manager Eric Maurice said.

Oracle said that in releasing a Critical Patch Update two weeks ahead of the intended schedule – instead of releasing a one-off fix through a Security Alert – would be more effective in helping preserve system security.

The Oracle update came one day after Apple blocked Java 7’s latest update from running on OS X. Apple Insider reported that in January that a zero-day flaw in the Java Runtime Environment was being exploited by nefarious websites and was so serious that the US Department of Homeland Security warned users to disable the web plugin.

Java disabled on Macs

In response, Apple disabled Java 7 through the OS X anti-malware system, requiring users to have at least version “1.7.0_10-b19” installed on their Macs. Friday’s release carries the designation “1.7.0_13-b20”, meeting Apple’s requirements.

The last publicly available release of Java 6 is set to be released on 19 February. After that date all new security updates, patches, and fixes for both the runtime and SDK of Java SE 6 will only be available through My Oracle Support, and will therefore only be available to users with a commercial licence with Oracle.

Are you a security pro? Try our quiz!

Originally published on eWeek.