The patch (Java SE 7 Update 11) falls out of line with Oracle's typical quarterly updating of Java, which was next scheduled for Feb. 15. But the fix became pressing last week when reports of exploits taking advantage of a critical hole began skyrocketing after the vulnerability was added to popular commercially available attack toolkits, such as BlackHole. The patch from Java actually corrects two flaws.
The fix is only for Java in the browser, as the vulnerabilities do not impact Java on servers, embedded systems or desktop applications, said Eric Maurice, director of software security assurance at Oracle, in a Sunday blog post.
"To be successfully exploited, an attacker needs to trick an unsuspecting user into browsing a malicious website," Maurice wrote. "The execution of the malicious applet within the browser of the unsuspecting users then allows the attacker to execute arbitrary code in the vulnerable system. These vulnerabilities are applicable only to Java in web browsers because they are exploitable through malicious browser applets."
But most security experts believe activating Java in the browser is usually unnecessary because one's web experience won't be hampered without it.
"Unless you absolutely, positively need it for something essential, patching Java is not the answer – uninstalling it is," tweeted Troy Hunt, a software architect based in Australia.Security blogger Brian Krebs over the weekend posted a helpful Q&A regarding the latest vulnerability.