37 critical Java holes to be fixed today
Oracle has published a pre-announcement of the fixes it plans to apply to Java SE in its critical patch update (CPU) due later today. The company says that 40 security fixes have been included and that, of those, 37 can be remotely exploited without the need for a username or password.
The fixes are for all versions of Java that are publicly or contractually supported: Java SE 7 Update 21 and earlier, Java SE 6 Update 45 and earlier and Java SE 5 Update 45 and earlier. There are also fixes for JavaFX 2.2.21 and earlier. Oracle recommends that these updates, once published, should be installed as soon as possible because of the risk posed by attacks successfully exploiting these vulnerabilities.
Users who are concerned about Java vulnerabilities should, in general, disable the Java plugin in their browsers as this is the most common attack vector used by those exploiting Java vulnerabilities. The most recent Java updates include a switch in the Java Control Panel on Windows to disable Java in the browser. Instructions for other versions of Java and browsers are available from the respective browser vendors:
- Deactivating the Java plugin in Firefox
- Deactivating the Java plugin in Chrome
- Deactivating the Java plugin in Safari