As exploits climb, Oracle patches Java 7

Share this article:

Responding to a widening outbreak of Java malware, Oracle on Sunday dispensed an urgent fix for the latest version of the software platform.

The patch (Java SE 7 Update 11) falls out of line with Oracle's typical quarterly updating of Java, which was next scheduled for Feb. 15. But the fix became pressing last week when reports of exploits taking advantage of a critical hole began skyrocketing after the vulnerability was added to popular commercially available attack toolkits, such as BlackHole. The patch from Java actually corrects two flaws.

The fix is only for Java in the browser, as the vulnerabilities do not impact Java on servers, embedded systems or desktop applications, said Eric Maurice, director of software security assurance at Oracle, in a Sunday blog post.

"To be successfully exploited, an attacker needs to trick an unsuspecting user into browsing a malicious website," Maurice wrote. "The execution of the malicious applet within the browser of the unsuspecting users then allows the attacker to execute arbitrary code in the vulnerable system. These vulnerabilities are applicable only to Java in web browsers because they are exploitable through malicious browser applets."

But most security experts believe activating Java in the browser is usually unnecessary because one's web experience won't be hampered without it.

"Unless you absolutely, positively need it for something essential, patching Java is not the answer – uninstalling it is," tweeted Troy Hunt, a software architect based in Australia.

Security blogger Brian Krebs over the weekend posted a helpful Q&A regarding the latest vulnerability.
Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

Four men charged with stealing Microsoft and U.S. Army trade secrets

Four men charged with stealing Microsoft and U.S. ...

The young men allegedly used SQL injection and stolen logins to gain access to systems at various companies and steal their intellectual property.

Google bumps maximum Chrome bug bounty reward to $15K

A high-quality report with a functional exploit for a sandbox escape will earn a bug hunter $15,000, according to the new reward amounts.

Survey: orgs adopt hybrid cloud environments despite security concerns

Survey: orgs adopt hybrid cloud environments despite security ...

Despite difficulties and concerns regarding security, more than 60 percent of respondents have adopted or plan to adopt a hybrid cloud environment.