Oracle releases Java update to close 37 high-risk vulnerabilities

Share this article:
Oracle releases Java update to close 37 high-risk vulnerabilities
Oracle releases Java update to close 37 high-risk vulnerabilities

Oracle on Tuesday released its latest update for Java with the release of version SE 7 Update 25.

The update addresses 40 vulnerabilities in the software, which include 37 flaws that can be remotely exploited without authentication. In addition, 11 of the bugs received the highest common vulnerability scoring system (CVSS) rating of 10.0 due to their significant threat level to users.

Brian Gorenc, manager of HP Security Research's Zero Day Initiative team, said in an email that 10 of the "high-risk vulnerabilities" were disclosed by the company and included flaws covering "a wide spectrum of software weaknesses" including sandbox bypasses and heap-based buffer overflows.

"These specific vulnerability types can be leveraged by attackers to compromise machines and execute arbitrary code," Gorenc said in prepared comments sent to SCMagazine.com. "With most of these issues originally reported by [us] in early April, Oracle seems to be reacting quickly to high-severity vulnerabilities. We look forward to seeing this trend continue."

Oracle posted an advisory to its site on Tuesday that highlighted a fix in its Javadoc tool, which is used for generating application programming interface (API) documentation in HTML format. Prior to the patch, API documentation in HTML format generated by the Javadoc tool was vulnerable to frame injection when hosted on a web server.

Starting in October, Java updates will be released on a quarterly basis, instead of three times a year, as part of Oracle's main Critical Patch Update. 

Oracle is undertaking new efforts to ensure security in the popular platform in the wake of a number of widespread exploits and slow response times to patch. Still, some in the security field believe companies should disable Java running in the browser because it presents an inviting attack vector for criminals and is not necessary for interaction with most sites.

[This article was updated to clarify that HP's Zero Day Initiative team disclosed some of the vulnerabilities in the Critical Patch Update.]
Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

CryptoWall surpasses CryptoLocker in infection rates

CryptoWall surpasses CryptoLocker in infection rates

A threat analysis from Dell SecureWorks CTU says that CryptoWall has picked up where its famous sibling left off.

Professor says Google search, not hacking, yielded medical info

Professor says Google search, not hacking, yielded medical ...

A professor of ethical hacking at City College San Francisco came forward to clarify that he did not demonstrate hacking a medical center's server in a class.

Syrian Malware Team makes use of enhanced BlackWorm RAT

Syrian Malware Team makes use of enhanced BlackWorm ...

FireEye analyzed the hacking group's use of the malware, dubbed the "Dark Edition" of BlackWorm.