This site uses cookies. By continuing to browse this site you are agreeing to our use of cookies. Find out more.X

Oracle releases critical fixes for Java

Share this article:
Apple patches Java flaw
Apple patches Java flaw

Oracle has released version SE 7, Update 25 as its latest update for Java.

The update addresses 40 vulnerabilities in the software, which include 37 flaws that can be remotely exploited without authentication. In addition, 11 of the bugs received the highest common vulnerability scoring system (CVSS) rating of 10.0 due to their significant threat level to users.

Brian Gorenc, manager of HP Security Research's zero-day initiative team, said that ten of the high-risk vulnerabilities were discovered by the company and included flaws covering "a wide spectrum of software weaknesses" including sandbox bypasses and heap-based buffer overflows.

“These specific vulnerability types can be leveraged by attackers to compromise machines and execute arbitrary code,” Gorenc told SC Magazine US.

“With most of these issues originally reported by [us] in early April, Oracle seems to be reacting quickly to high-severity vulnerabilities. We look forward to seeing this trend continue.”

Oracle posted an advisory to its site on Tuesday that highlighted a fix in its Javadoc tool, which is used for generating application programming interface (API) documentation in HTML format. Prior to the patch, API documentation in HTML format generated by the Javadoc tool was vulnerable to frame injection when hosted on a web server.

Starting in October, Java announced that its updates will be released on a quarterly basis, instead of three times a year, as part of Oracle's main Critical Patch Update. 

Amol Sarwate, director of engineering at Qualys, said: “All vulnerabilities except three can be exploited remotely by an attacker, and in most cases, the attacker can take complete control of the system. An attacker can achieve this using a variety of drive-by techniques letting a Java applet run arbitrary code outside of the Java sandbox.

“Todays CPU affects JDK and JRE versions 5, 6 and 7. We highly recommend applying these patches as soon as possible.”

Ross Barrett, senior manager of security engineering at Rapid7, said: “Of the 40 fixes in Oracle's Java SE CPU, 37 are remotely exploitable. The majority are vulnerable through browser plug-ins, 11 of which are exploitable for complete control of the underlying operating system.

“The latest versions of Java 7, 6 and 5 are all vulnerable to most of these conditions. It's highly likely that earlier versions are also vulnerable.

Java servers are affected by four of the disclosed issues, the worst of which scores a CVSS score of 7.5 out of 10 in terms of base risk.

“The recommendation here, as always, is for all users to patch as quickly as possible. There are a good number of researchers that have been credited for these fixes and it's likely that proof of concept code will be released now that patches are available.”

Share this article:
close

Next Article in News

SC webcasts on demand

This is how to secure data in the cloud


Exclusive video webcast & Q&A sponsored by Vormetric


As enterprises look to take advantage of the cloud, they need to understand the importance of safeguarding their confidential and sensitive data in cloud environments. With the appropriate security safeguards, such as fine-grained access policies, a move to the cloud is as, or more, secure than an on-premise data storage.


View the webcast here to find out more

More in News

VC cyber security funding tops £850 million

VC cyber security funding tops £850 million

A new study from US-based research firm CBI Insights reveals that corporate cyber security investments have risen five-fold since 2009, with 30 percent growth in the last year alone.

Russian/Chinese cyber-security pact raises concerns

Russian/Chinese cyber-security pact raises concerns

News that Russia and China are set to sign a cyber-security treaty next month have left Western cyber experts unsure whether it is a threat or a promising development.

UK police arrest trio over £1.6 million cyber theft from cash machines

UK police arrest trio over £1.6 million cyber ...

London Police have arrested three suspected members of an Eastern European cyber-crime gang who installed malware on more than 50 bank ATM machines across the UK to steal £1.6 million.