Oracle has released a Java update addressing 50 vulnerabilities, two weeks ahead of schedule. The company has faced an uphill security battle in the last year, finding itself pitted against researchers and criminals who have discovered hundreds of flaws.
Oracle said the early release is due to “active exploitation ‘in the wild’ of one of the vulnerabilities affecting the Java Runtime Environment (JRE) in desktop browsers,” though they didn’t say which of the 49 patches addressing remote code execution it vulnerabilities was being referred to.
Last month, researchers discovered a vulnerability in Java that was being widely exploited online after it was added to the Blackhole and Cool Exploit crime kits. Oracle responded by releasing a patch a short time later. However, that patch didn’t completely fix the issue, and included two additional flaws, compounding what was already a major problem.
Oracle is encouraging that everyone update their Java installations immediately, a sentiment that is mirrored by the Department of Homeland Security. However, the DHS says that until updates can be applied, the public is encouraged to disable Java within their browsers.
“These and previous Java vulnerabilities have been widely targeted by attackers, and new Java vulnerabilities are likely to be discovered. To defend against this and future Java vulnerabilities, consider disabling Java in web browsers until adequate updates have been installed. As with any software, unnecessary features should be disabled or removed as appropriate for your environment,” a DHS advisory (via US CERT) says.
During a conference call with Java users and developers last month, Oracle’s Milton Smith, head of Java security, said that Java must be fixed.
“The plan for Java security is really simple,” he said. “It’s to get Java fixed up number one, and then number two, to communicate our efforts widely. We really can’t have one without the other… No amount of talking or smoothing over is going to make anybody happy or do anything for us. We have to fix Java.”
More from Steve Ragan
- Anonymous Claims Attack on IP Surveillance Firm Brickcom, Leaks Customer Data
- Workers Don’t Trust Employers with Personal Data: Survey
- Root SSH Key Compromised in Emergency Alerting Systems
- Morningstar Data Breach Impacted 184,000 Clients
- Microsoft to Patch Seven Flaws in July’s Patch Tuesday
- OpenX Addresses New Security Flaws with Latest Update
- Ubisoft Breached: Users Urged to Change Passwords
- Anonymous Targets Anti-Anonymity B2B Firm Relead.com
Latest News
- SecurityWeek Analysis: Over 450 Cybersecurity M&A Deals Announced in 2022
- 20 Million Users Impacted by Data Breach at Instant Checkmate, TruthFinder
- Cyber Insights 2023 | Zero Trust and Identity and Access Management
- Cyber Insights 2023 | The Coming of Web3
- European Police Arrest 42 After Cracking Covert App
- Florida Hospital Cancels Procedures, Diverts Patients Following Cyberattack
- VMware ESXi Servers Targeted in Ransomware Attack via Old Vulnerability
- Fraudulent “CryptoRom” Apps Slip Through Apple and Google App Store Review Process
