Oracle releases Java update to close 37 high-risk vulnerabilities

Share this article:
Oracle releases Java update to close 37 high-risk vulnerabilities
Oracle releases Java update to close 37 high-risk vulnerabilities

Oracle on Tuesday released its latest update for Java with the release of version SE 7 Update 25.

The update addresses 40 vulnerabilities in the software, which include 37 flaws that can be remotely exploited without authentication. In addition, 11 of the bugs received the highest common vulnerability scoring system (CVSS) rating of 10.0 due to their significant threat level to users.

Brian Gorenc, manager of HP Security Research's Zero Day Initiative team, said in an email that 10 of the "high-risk vulnerabilities" were disclosed by the company and included flaws covering "a wide spectrum of software weaknesses" including sandbox bypasses and heap-based buffer overflows.

"These specific vulnerability types can be leveraged by attackers to compromise machines and execute arbitrary code," Gorenc said in prepared comments sent to SCMagazine.com. "With most of these issues originally reported by [us] in early April, Oracle seems to be reacting quickly to high-severity vulnerabilities. We look forward to seeing this trend continue."

Oracle posted an advisory to its site on Tuesday that highlighted a fix in its Javadoc tool, which is used for generating application programming interface (API) documentation in HTML format. Prior to the patch, API documentation in HTML format generated by the Javadoc tool was vulnerable to frame injection when hosted on a web server.

Starting in October, Java updates will be released on a quarterly basis, instead of three times a year, as part of Oracle's main Critical Patch Update. 

Oracle is undertaking new efforts to ensure security in the popular platform in the wake of a number of widespread exploits and slow response times to patch. Still, some in the security field believe companies should disable Java running in the browser because it presents an inviting attack vector for criminals and is not necessary for interaction with most sites.

[This article was updated to clarify that HP's Zero Day Initiative team disclosed some of the vulnerabilities in the Critical Patch Update.]
Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

NIST finalizes cloud computing roadmap

NIST finalizes cloud computing roadmap

The NIST architecture is designed to accelerate the adoption of cloud computing.

Chinese MitM attack targets iCloud users

Chinese MitM attack targets iCloud users

The attack used a false certificate to trick iCloud users into handing over personal data and login credentials. With an attack of this size, some experts and researchers believe the ...

EPIC: driver data shared via V2V technology needs protection

The groups shared comments on V2V communications with the National Highway Traffic Safety Administration.