Fixes for 51 Java bugs come with Oracle's Critical Patch Update

Share this article:
Reachers discovered Nemim in 2006, but have now detected new variants of the malware.
Reachers discovered Nemim in 2006, but have now detected new variants of the malware.

Fixes for Java vulnerabilities have now begun to roll out as part of Oracle's quarterly security release.

Nearly half the patches in the Critical Patch Update (CPU) released Tuesday, 51 out of 127, will rectify issues in the Java browser plug-in. Furthermore, 12 out of the 51 Java bugs received the most severe threat rating, or CVSS score, of 10 in the update.

On Wednesday, Chester Wisniewski, a senior security advisor at security firm Sophos, wrote on the company's Naked Security blog that an overwhelming majority of the Java bugs affected Java Applets and Java WebStart.

“51 security vulnerabilities are addressed in Java this quarter, and 50 of them affect Java Applets or Java WebStart, the plug-in that runs Java in your web browser,” Wisniewski wrote. “Worse yet, all but one are remotely exploitable without authentication. Some versions of Java update themselves, some rely on the operating system vendor and others are too old to support an auto-update mechanism. This does not make things easy.”

Wisniewski recommended that users check to verify that the latest Java update, 7u45, was installed in their browser by visiting a page on Java.com. Lastly, he urged users to disable the notoriously buggy software, if the application isn't necessary.

Along with the release of Java 7u45, the CPU also included patches for other Oracle products including its Database Server, Enterprise Manager Grid Control, Fusion Middleware, Financial Services software, and MySQL and PeopleSoft products, among others.

In June, Nandini Ramani, the lead for Java's software development team, announced that Java's updates would be released four times a year coinciding with Oracle's CPU, instead of as a standalone release occurring only three times annually. The October Critical Patch Update marks the start of the change.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

Popular Science served up Rig Exploit Kit on its website

The monthly science magazine served up malicious code to readers earlier this week and has remedied the issue.

Deloitte releases paper on vetting leaks, avoiding costly hoax

Deloitte releases paper on vetting leaks, avoiding costly ...

The research presents techniques for distinguishing legit data leaks from false claims.

Attack on White House systems breached unclassified networks

The White House experienced a sustained cyberattack on its systems that impacted its network for nearly two weeks.