Oracle has released a Java update addressing 50 vulnerabilities, two weeks ahead of schedule. The company has faced an uphill security battle in the last year, finding itself pitted against researchers and criminals who have discovered hundreds of flaws.
Oracle said the early release is due to “active exploitation ‘in the wild’ of one of the vulnerabilities affecting the Java Runtime Environment (JRE) in desktop browsers,” though they didn’t say which of the 49 patches addressing remote code execution it vulnerabilities was being referred to.
Last month, researchers discovered a vulnerability in Java that was being widely exploited online after it was added to the Blackhole and Cool Exploit crime kits. Oracle responded by releasing a patch a short time later. However, that patch didn’t completely fix the issue, and included two additional flaws, compounding what was already a major problem.
Oracle is encouraging that everyone update their Java installations immediately, a sentiment that is mirrored by the Department of Homeland Security. However, the DHS says that until updates can be applied, the public is encouraged to disable Java within their browsers.
“These and previous Java vulnerabilities have been widely targeted by attackers, and new Java vulnerabilities are likely to be discovered. To defend against this and future Java vulnerabilities, consider disabling Java in web browsers until adequate updates have been installed. As with any software, unnecessary features should be disabled or removed as appropriate for your environment,” a DHS advisory (via US CERT) says.
During a conference call with Java users and developers last month, Oracle’s Milton Smith, head of Java security, said that Java must be fixed.
“The plan for Java security is really simple,” he said. “It’s to get Java fixed up number one, and then number two, to communicate our efforts widely. We really can’t have one without the other… No amount of talking or smoothing over is going to make anybody happy or do anything for us. We have to fix Java.”
