Oracle releases Java update to close 37 high-risk vulnerabilities

Share this article:
Oracle releases Java update to close 37 high-risk vulnerabilities
Oracle releases Java update to close 37 high-risk vulnerabilities

Oracle on Tuesday released its latest update for Java with the release of version SE 7 Update 25.

The update addresses 40 vulnerabilities in the software, which include 37 flaws that can be remotely exploited without authentication. In addition, 11 of the bugs received the highest common vulnerability scoring system (CVSS) rating of 10.0 due to their significant threat level to users.

Brian Gorenc, manager of HP Security Research's Zero Day Initiative team, said in an email that 10 of the "high-risk vulnerabilities" were disclosed by the company and included flaws covering "a wide spectrum of software weaknesses" including sandbox bypasses and heap-based buffer overflows.

"These specific vulnerability types can be leveraged by attackers to compromise machines and execute arbitrary code," Gorenc said in prepared comments sent to SCMagazine.com. "With most of these issues originally reported by [us] in early April, Oracle seems to be reacting quickly to high-severity vulnerabilities. We look forward to seeing this trend continue."

Oracle posted an advisory to its site on Tuesday that highlighted a fix in its Javadoc tool, which is used for generating application programming interface (API) documentation in HTML format. Prior to the patch, API documentation in HTML format generated by the Javadoc tool was vulnerable to frame injection when hosted on a web server.

Starting in October, Java updates will be released on a quarterly basis, instead of three times a year, as part of Oracle's main Critical Patch Update. 

Oracle is undertaking new efforts to ensure security in the popular platform in the wake of a number of widespread exploits and slow response times to patch. Still, some in the security field believe companies should disable Java running in the browser because it presents an inviting attack vector for criminals and is not necessary for interaction with most sites.

[This article was updated to clarify that HP's Zero Day Initiative team disclosed some of the vulnerabilities in the Critical Patch Update.]
Share this article:

Sign up to our newsletters

More in News

Research shows vulnerabilities go unfixed longer in ASP

Research shows vulnerabilities go unfixed longer in ASP

A new report finds little difference in the number of vulnerabilities among programming languages, but remediation times vary widely.

Bill would restrict Calif. retailers from storing certain payment data

The bill would ban businesses from storing sensitive payment data, for any long than required, even if it is encrypted.

Amplification, reflection DDoS attacks increase 35 percent in Q1 2014

Amplification, reflection DDoS attacks increase 35 percent in ...

The Q1 2014 Global DDoS Attack Report reveals that amplification and reflection distributed denial-of-service attacks are on the rise.