Oracle releases emergency patches for Java
Oracle has released a large package of security updates for Java which addresses 50 vulnerabilities in Java both in the browser and in the server. The "Critical Patch Update February 2013" (CPU) for Java had been scheduled, says Oracle, for 19 February, but due to one of the vulnerabilities being exploited in the wild, the company brought the release forward. Oracle advise users to install the update as soon as possible because of "the threat posed by a successful attack". This probably explains why Apple disabled Java at the end of the week, as they most likely knew the update was arriving early.
Of the fifty vulnerabilities, twenty-six of them are rated at the highest CVSS level (10.0) and two at 9.3. All the vulnerabilities are accessible from the network without authentication, apart from one that affects the installation process. One of the flaws is rated as CVSS 0.0 as it, alone, is not an exploitable hole – this refers to the bug that security researcher Adam Gowdiak warned of last week which allowed unsigned applets to run despite the security slider setting being set to high; it therefore could enable other vulnerabilities to be exploited.
The Java 7 update is packaged as Java 7 Update 13 – Update 11 was only published on 14 January. The Java Runtime Environment (JRE) update is available for Windows, Mac OS X, Linux and Solaris, from the general download page. The CPU also includes an update for Java 6, Java 6 Update 39, which can be downloaded from the download area for developers. That page also carries updated versions of the Java Development Kit for Java 6 and 7.
Mac OS X 10.6.8 (Snow Leopard) will find a "Java for Mac OS X 10.6 update 12" available through the software update function. Users of Java 7 on Mac OS X 10.7 and 10.8 who are not being alerted of an update should go to System Preferences, select Java and the Update tab and click Update Now. Windows users should also be alerted by the Java update checker which will download and update their Java installation. Oracle customers still using Java 5 or Java 1.4 should contact Oracle as the company says it has produced updates for those, no longer publicly supported, editions too.
In an associated announcement, Oracle says the early release of the CPU is a sign of its intention "to accelerate the release of Java fixes, particularly to help address the security worthiness of the Java Runtime Environment (JRE) in desktop browsers". The CPU advisory credited ten different researchers or organisations for their reporting of vulnerabilities. The breadth of reports suggests that Oracle has been increasing its focus on securing Java, but currently Java in the browser is under constant attack from malware developers and there are still millions of vulnerable Java installations on consumer PCs.
With such a large update being rushed out though, and as with the last update, criminals may take advantage of the situation by offering bogus "Java update" packages which actually installed back-doors on systems. Users are reminded to only download software from trustworthy sources.
For users who do not want to be exposed to the risks at all, even after the update, it is still recommended that they disable Java in their browsers. The most recent Java updates include a switch in the Java Control Panel on Windows to disable Java in the browser. Instructions for other versions of Java and browsers are available:
- Deactivating the Java plugin in Firefox
- Deactivating the Java plugin in Chrome
- Deactivating the Java plugin in Safari