Oracle plugs security holes: Updates for Java 1.4 to 7
On Tuesday night, Oracle published the promised update for the emergency "Critical Patch Update" that the company released earlier than scheduled, three weeks ago. The update affects all Java runtime environments from version 1.4 up to and including the current version 7.
This update is designed to close three holes with the highest threat rating of 10. These vulnerabilities have the CVE identifiers CVE-2013-1484, CVE-2013-1486 and CVE-2013-1487 and can be exploited remotely without authentication. They affect libraries, deployment components and, once again, JMX; the Java Management Extensions were at the centre of the holes discovered by security researcher Adam Gowdiak.
All three holes, as well as a fourth, less severe one (CVE-2013-1485) in the libraries, are related to the execution of Java in browsers via Web Start. In Germany, for example, this technology is used for applications such as the German ElsterOnline online tax return system and the official German AusweisApp ID service.
Oracle has also closed the vulnerability in the TLS/SSL implementation that is known as "Lucky 13" (CVE-2013-0169). Related attacks exploit the fact that decrypting certain specially crafted messages takes longer than the decryption of other messages. However, those who discovered this vulnerability don't consider it a viable attack vector, and Oracle has rated the hole at a threat level of 4.3 out of the possible maximum of 10. It is the only hole in the latest bulletin that affects the server use of Java.
Java users should update as soon as possible. For Mac OS X, Apple has made an updated version of Java 6 available via the software update feature. Those who use its successor must obtain the software from Oracle directly. The next scheduled update for Java is set for 16 April.
With this patch, Oracle has provided the last public security updates for Java 6. Future updates for this version will only be available to paying support customers. Java 6 is currently still the most widely used desktop version.