Fixes for 51 Java bugs come with Oracle's Critical Patch Update

Share this article:
Reachers discovered Nemim in 2006, but have now detected new variants of the malware.
Reachers discovered Nemim in 2006, but have now detected new variants of the malware.

Fixes for Java vulnerabilities have now begun to roll out as part of Oracle's quarterly security release.

Nearly half the patches in the Critical Patch Update (CPU) released Tuesday, 51 out of 127, will rectify issues in the Java browser plug-in. Furthermore, 12 out of the 51 Java bugs received the most severe threat rating, or CVSS score, of 10 in the update.

On Wednesday, Chester Wisniewski, a senior security advisor at security firm Sophos, wrote on the company's Naked Security blog that an overwhelming majority of the Java bugs affected Java Applets and Java WebStart.

“51 security vulnerabilities are addressed in Java this quarter, and 50 of them affect Java Applets or Java WebStart, the plug-in that runs Java in your web browser,” Wisniewski wrote. “Worse yet, all but one are remotely exploitable without authentication. Some versions of Java update themselves, some rely on the operating system vendor and others are too old to support an auto-update mechanism. This does not make things easy.”

Wisniewski recommended that users check to verify that the latest Java update, 7u45, was installed in their browser by visiting a page on Java.com. Lastly, he urged users to disable the notoriously buggy software, if the application isn't necessary.

Along with the release of Java 7u45, the CPU also included patches for other Oracle products including its Database Server, Enterprise Manager Grid Control, Fusion Middleware, Financial Services software, and MySQL and PeopleSoft products, among others.

In June, Nandini Ramani, the lead for Java's software development team, announced that Java's updates would be released four times a year coinciding with Oracle's CPU, instead of as a standalone release occurring only three times annually. The October Critical Patch Update marks the start of the change.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

Reported breaches involving zero-day bug at JPMorgan Chase, other banks

Reported breaches involving zero-day bug at JPMorgan Chase, ...

Hackers exploited a zero-day vulnerability and gained access to sensitive information from JPMorgan Chase and at least four other financial institutions, reports indicate.

Data on 97K Bugzilla users posted online for about three months

During a migration of the testing server for test builds of Bugzilla software, data on about 97,000 Bugzilla users was inadvertently posted publicly online.

Chinese national had access to data on 5M Arizona drivers, possible breach ...

Although Lizhong Fan left the U.S. in 2007, the agencies responsible for giving him access to Americans' personal information have yet to disclose the details of the case to the public.