As exploits climb, Oracle patches Java 7

Share this article:

Responding to a widening outbreak of Java malware, Oracle on Sunday dispensed an urgent fix for the latest version of the software platform.

The patch (Java SE 7 Update 11) falls out of line with Oracle's typical quarterly updating of Java, which was next scheduled for Feb. 15. But the fix became pressing last week when reports of exploits taking advantage of a critical hole began skyrocketing after the vulnerability was added to popular commercially available attack toolkits, such as BlackHole. The patch from Java actually corrects two flaws.

The fix is only for Java in the browser, as the vulnerabilities do not impact Java on servers, embedded systems or desktop applications, said Eric Maurice, director of software security assurance at Oracle, in a Sunday blog post.

"To be successfully exploited, an attacker needs to trick an unsuspecting user into browsing a malicious website," Maurice wrote. "The execution of the malicious applet within the browser of the unsuspecting users then allows the attacker to execute arbitrary code in the vulnerable system. These vulnerabilities are applicable only to Java in web browsers because they are exploitable through malicious browser applets."

But most security experts believe activating Java in the browser is usually unnecessary because one's web experience won't be hampered without it.

"Unless you absolutely, positively need it for something essential, patching Java is not the answer – uninstalling it is," tweeted Troy Hunt, a software architect based in Australia.

Security blogger Brian Krebs over the weekend posted a helpful Q&A regarding the latest vulnerability.
Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

Report: most orgs lacking in response team, policies to address cyber incidents

In its Q3 threat intelligence report, Solutionary learned that 75 percent of organizations it assisted had no response team or policies and procedures to address cyber incidents.

Flash redirect campaign impacts Carnegie Mellon page, leads to Angler EK

Flash redirect campaign impacts Carnegie Mellon page, leads ...

Malwarebytes found that, since early July, thousands of sites had been targeted in the campaign.

EU conducts massive cyberattack simulation on critical networks

Conducted by the European Union Agency for Network and Information Security, the simulation launched 2,000 attacks on the networks of various critical infrastructure organizations.