Fixes for Java vulnerabilities have now begun to roll out as part of Oracle's quarterly security release.
Nearly half the patches in the Critical Patch Update (CPU) released Tuesday, 51 out of 127, will rectify issues in the Java browser plug-in. Furthermore, 12 out of the 51 Java bugs received the most severe threat rating, or CVSS score, of 10 in the update.
On Wednesday, Chester Wisniewski, a senior security advisor at security firm Sophos, wrote on the company's Naked Security blog that an overwhelming majority of the Java bugs affected Java Applets and Java WebStart.
“51 security vulnerabilities are addressed in Java this quarter, and 50 of them affect Java Applets or Java WebStart, the plug-in that runs Java in your web browser,” Wisniewski wrote. “Worse yet, all but one are remotely exploitable without authentication. Some versions of Java update themselves, some rely on the operating system vendor and others are too old to support an auto-update mechanism. This does not make things easy.”
Wisniewski recommended that users check to verify that the latest Java update, 7u45, was installed in their browser by visiting a page on Java.com. Lastly, he urged users to disable the notoriously buggy software, if the application isn't necessary.
Along with the release of Java 7u45, the CPU also included patches for other Oracle products including its Database Server, Enterprise Manager Grid Control, Fusion Middleware, Financial Services software, and MySQL and PeopleSoft products, among others.
In June, Nandini Ramani, the lead for Java's software development team, announced that Java's updates would be released four times a year coinciding with Oracle's CPU, instead of as a standalone release occurring only three times annually. The October Critical Patch Update marks the start of the change.
