Security Experts:

Oracle Patches Java Again In Response to Online Attacks

For the third time in less than a month, organizations and home users who are still using Java, for whatever reason that may be, now need to apply yet another update. This latest patch, released Monday, addresses a bug that was first reported more than a month ago.

Oracle’s latest Java patch fixes vulnerabilities in JRE and JDK 7 Update 15 or earlier; JRE or JDK 6 Update 41 or earlier; and JRE and JDK 5.0 Update 40 and earlier. As mentioned, the main bug was submitted in early February – with the main flaw being CVE-2013-1493.

According to a company blog post, though reports of active exploitation were recently received, the bug outlined by CVE-2013-1493 was reported on February 1, somethining Oracle said was too late to be included in the February 19th release of the Critical Patch Update for Java SE.

“The company intended to include a fix for CVE-2013-1493 in the April 16, 2013 Critical Patch Update for Java SE... However, in light of the reports of active exploitation of CVE-2013-1493, and in order to help maintain the security posture of all Java SE users, Oracle decided to release a fix for this vulnerability and another closely related bug as soon as possible through this Security Alert.”

On Friday, SecurityWeek reported that researchers with Symantec and FireEye said that the latest Java flaw was linked to the attack against security firm Bit9 last month. That breach, as was reported, centered on the company’s internal policy issues, as in they were not followed.

For now, if you still cannot find a reason to just walk away from Java, Oracle urges you or your organization to apply this patch with no further delay. As is the case with most Java flaws, this one too will target only the systems where Java is being used in the browser, so Oracle server-based software, embedded Java apps, desktop Java apps, or sever-based installations of Java are not being singled out.

view counter
Steve Ragan is a security reporter and contributor for SecurityWeek. Prior to joining the journalism world in 2005, he spent 15 years as a freelance IT contractor focused on endpoint security and security training.