Incident Response, Patch/Configuration Management, TDR, Vulnerability Management

Oracle releases Java update to close 37 high-risk vulnerabilities

Oracle on Tuesday released its latest update for Java with the release of version SE 7 Update 25.

The update addresses 40 vulnerabilities in the software, which include 37 flaws that can be remotely exploited without authentication. In addition, 11 of the bugs received the highest common vulnerability scoring system (CVSS) rating of 10.0 due to their significant threat level to users.

Brian Gorenc, manager of HP Security Research's Zero Day Initiative team, said in an email that 10 of the "high-risk vulnerabilities" were disclosed by the company and included flaws covering "a wide spectrum of software weaknesses" including sandbox bypasses and heap-based buffer overflows.

"These specific vulnerability types can be leveraged by attackers to compromise machines and execute arbitrary code," Gorenc said in prepared comments sent to SCMagazine.com. "With most of these issues originally reported by [us] in early April, Oracle seems to be reacting quickly to high-severity vulnerabilities. We look forward to seeing this trend continue."

Oracle posted an advisory to its site on Tuesday that highlighted a fix in its Javadoc tool, which is used for generating application programming interface (API) documentation in HTML format. Prior to the patch, API documentation in HTML format generated by the Javadoc tool was vulnerable to frame injection when hosted on a web server.

Starting in October, Java updates will be released on a quarterly basis, instead of three times a year, as part of Oracle's main Critical Patch Update. 

Oracle is undertaking new efforts to ensure security in the popular platform in the wake of a number of widespread exploits and slow response times to patch. Still, some in the security field believe companies should disable Java running in the browser because it presents an inviting attack vector for criminals and is not necessary for interaction with most sites.

[This article was updated to clarify that HP's Zero Day Initiative team disclosed some of the vulnerabilities in the Critical Patch Update.]

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.