Oracle releases Java update to close 37 high-risk vulnerabilities

Share this article:
Oracle releases Java update to close 37 high-risk vulnerabilities
Oracle releases Java update to close 37 high-risk vulnerabilities

Oracle on Tuesday released its latest update for Java with the release of version SE 7 Update 25.

The update addresses 40 vulnerabilities in the software, which include 37 flaws that can be remotely exploited without authentication. In addition, 11 of the bugs received the highest common vulnerability scoring system (CVSS) rating of 10.0 due to their significant threat level to users.

Brian Gorenc, manager of HP Security Research's Zero Day Initiative team, said in an email that 10 of the "high-risk vulnerabilities" were disclosed by the company and included flaws covering "a wide spectrum of software weaknesses" including sandbox bypasses and heap-based buffer overflows.

"These specific vulnerability types can be leveraged by attackers to compromise machines and execute arbitrary code," Gorenc said in prepared comments sent to SCMagazine.com. "With most of these issues originally reported by [us] in early April, Oracle seems to be reacting quickly to high-severity vulnerabilities. We look forward to seeing this trend continue."

Oracle posted an advisory to its site on Tuesday that highlighted a fix in its Javadoc tool, which is used for generating application programming interface (API) documentation in HTML format. Prior to the patch, API documentation in HTML format generated by the Javadoc tool was vulnerable to frame injection when hosted on a web server.

Starting in October, Java updates will be released on a quarterly basis, instead of three times a year, as part of Oracle's main Critical Patch Update. 

Oracle is undertaking new efforts to ensure security in the popular platform in the wake of a number of widespread exploits and slow response times to patch. Still, some in the security field believe companies should disable Java running in the browser because it presents an inviting attack vector for criminals and is not necessary for interaction with most sites.

[This article was updated to clarify that HP's Zero Day Initiative team disclosed some of the vulnerabilities in the Critical Patch Update.]
Share this article:

Sign up to our newsletters

More in News

Brazilian president signs internet 'Bill of Rights' into law

Brazilian president signs internet 'Bill of Rights' into ...

President Dilma Rousseff signed the legislation on Wednesday at the NetMundial conference in Sao Paulo.

Android trojan sends premium SMS messages, targets U.S. users for first time

Android trojan sends premium SMS messages, targets U.S. ...

An SMS trojan for Android, known as FakeInst, has been observed sending premium SMS messages to users all over the world, including, for the first time, the United States.

Report: DDoS up in Q4 2013, vulnerability scanners leveraged to exploit sites

Report: DDoS up in Q4 2013, vulnerability scanners ...

Researchers observed 346 DDoS attacks in the final quarter of 2013 and attackers used Vega and Skipfish vulnerability scanners to exploit web flaws at financial companies.