Fixes for 51 Java bugs come with Oracle's Critical Patch Update

Share this article:
Reachers discovered Nemim in 2006, but have now detected new variants of the malware.
Reachers discovered Nemim in 2006, but have now detected new variants of the malware.

Fixes for Java vulnerabilities have now begun to roll out as part of Oracle's quarterly security release.

Nearly half the patches in the Critical Patch Update (CPU) released Tuesday, 51 out of 127, will rectify issues in the Java browser plug-in. Furthermore, 12 out of the 51 Java bugs received the most severe threat rating, or CVSS score, of 10 in the update.

On Wednesday, Chester Wisniewski, a senior security advisor at security firm Sophos, wrote on the company's Naked Security blog that an overwhelming majority of the Java bugs affected Java Applets and Java WebStart.

“51 security vulnerabilities are addressed in Java this quarter, and 50 of them affect Java Applets or Java WebStart, the plug-in that runs Java in your web browser,” Wisniewski wrote. “Worse yet, all but one are remotely exploitable without authentication. Some versions of Java update themselves, some rely on the operating system vendor and others are too old to support an auto-update mechanism. This does not make things easy.”

Wisniewski recommended that users check to verify that the latest Java update, 7u45, was installed in their browser by visiting a page on Java.com. Lastly, he urged users to disable the notoriously buggy software, if the application isn't necessary.

Along with the release of Java 7u45, the CPU also included patches for other Oracle products including its Database Server, Enterprise Manager Grid Control, Fusion Middleware, Financial Services software, and MySQL and PeopleSoft products, among others.

In June, Nandini Ramani, the lead for Java's software development team, announced that Java's updates would be released four times a year coinciding with Oracle's CPU, instead of as a standalone release occurring only three times annually. The October Critical Patch Update marks the start of the change.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

VBA malware on rise, templates make it easier to write code

VBA malware on rise, templates make it easier ...

Researchers at SophosLabs found an uptick in VBA samples in July.

Analysts spot 'Critolock,' ransomware claims to be CryptoLocker

Trend Micro noted several differences between Critolock and CryptoLocker, however.

Citadel used in APT attacks against petrochemical firms

Citadel used in APT attacks against petrochemical firms

In an interesting twist, financial malware Citadel was used to infect firms outside of the finance sector via APT attacks, Trusteer found.