Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Oracle Pushes Massive Patch Release Ahead of Schedule

Oracle has released a Java update addressing 50 vulnerabilities, two weeks ahead of schedule. The company has faced an uphill security battle in the last year, finding itself pitted against researchers and criminals who have discovered hundreds of flaws.

Oracle has released a Java update addressing 50 vulnerabilities, two weeks ahead of schedule. The company has faced an uphill security battle in the last year, finding itself pitted against researchers and criminals who have discovered hundreds of flaws.

Oracle said the early release is due to “active exploitation ‘in the wild’ of one of the vulnerabilities affecting the Java Runtime Environment (JRE) in desktop browsers,” though they didn’t say which of the 49 patches addressing remote code execution it vulnerabilities was being referred to.

Last month, researchers discovered a vulnerability in Java that was being widely exploited online after it was added to the Blackhole and Cool Exploit crime kits. Oracle responded by releasing a patch a short time later. However, that patch didn’t completely fix the issue, and included two additional flaws, compounding what was already a major problem.

Oracle is encouraging that everyone update their Java installations immediately, a sentiment that is mirrored by the Department of Homeland Security. However, the DHS says that until updates can be applied, the public is encouraged to disable Java within their browsers.

“These and previous Java vulnerabilities have been widely targeted by attackers, and new Java vulnerabilities are likely to be discovered. To defend against this and future Java vulnerabilities, consider disabling Java in web browsers until adequate updates have been installed. As with any software, unnecessary features should be disabled or removed as appropriate for your environment,” a DHS advisory (via US CERT) says.

During a conference call with Java users and developers last month, Oracle’s Milton Smith, head of Java security, said that Java must be fixed.

“The plan for Java security is really simple,” he said. “It’s to get Java fixed up number one, and then number two, to communicate our efforts widely. We really can’t have one without the other… No amount of talking or smoothing over is going to make anybody happy or do anything for us. We have to fix Java.”

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Vulnerabilities

Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.