As exploits climb, Oracle patches Java 7

Share this article:

Responding to a widening outbreak of Java malware, Oracle on Sunday dispensed an urgent fix for the latest version of the software platform.

The patch (Java SE 7 Update 11) falls out of line with Oracle's typical quarterly updating of Java, which was next scheduled for Feb. 15. But the fix became pressing last week when reports of exploits taking advantage of a critical hole began skyrocketing after the vulnerability was added to popular commercially available attack toolkits, such as BlackHole. The patch from Java actually corrects two flaws.

The fix is only for Java in the browser, as the vulnerabilities do not impact Java on servers, embedded systems or desktop applications, said Eric Maurice, director of software security assurance at Oracle, in a Sunday blog post.

"To be successfully exploited, an attacker needs to trick an unsuspecting user into browsing a malicious website," Maurice wrote. "The execution of the malicious applet within the browser of the unsuspecting users then allows the attacker to execute arbitrary code in the vulnerable system. These vulnerabilities are applicable only to Java in web browsers because they are exploitable through malicious browser applets."

But most security experts believe activating Java in the browser is usually unnecessary because one's web experience won't be hampered without it.

"Unless you absolutely, positively need it for something essential, patching Java is not the answer – uninstalling it is," tweeted Troy Hunt, a software architect based in Australia.

Security blogger Brian Krebs over the weekend posted a helpful Q&A regarding the latest vulnerability.
Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

CryptoWall surpasses CryptoLocker in infection rates

CryptoWall surpasses CryptoLocker in infection rates

A threat analysis from Dell SecureWorks CTU says that CryptoWall has picked up where its famous sibling left off.

Professor says Google search, not hacking, yielded medical info

Professor says Google search, not hacking, yielded medical ...

A professor of ethical hacking at City College San Francisco came forward to clarify that he did not demonstrate hacking a medical center's server in a class.

Syrian Malware Team makes use of enhanced BlackWorm RAT

Syrian Malware Team makes use of enhanced BlackWorm ...

FireEye analyzed the hacking group's use of the malware, dubbed the "Dark Edition" of BlackWorm.