This site uses cookies. By continuing to browse this site you are agreeing to our use of cookies. Find out more.X

Oracle releases critical fixes for Java

Share this article:
Apple patches Java flaw
Apple patches Java flaw

Oracle has released version SE 7, Update 25 as its latest update for Java.

The update addresses 40 vulnerabilities in the software, which include 37 flaws that can be remotely exploited without authentication. In addition, 11 of the bugs received the highest common vulnerability scoring system (CVSS) rating of 10.0 due to their significant threat level to users.

Brian Gorenc, manager of HP Security Research's zero-day initiative team, said that ten of the high-risk vulnerabilities were discovered by the company and included flaws covering "a wide spectrum of software weaknesses" including sandbox bypasses and heap-based buffer overflows.

“These specific vulnerability types can be leveraged by attackers to compromise machines and execute arbitrary code,” Gorenc told SC Magazine US.

“With most of these issues originally reported by [us] in early April, Oracle seems to be reacting quickly to high-severity vulnerabilities. We look forward to seeing this trend continue.”

Oracle posted an advisory to its site on Tuesday that highlighted a fix in its Javadoc tool, which is used for generating application programming interface (API) documentation in HTML format. Prior to the patch, API documentation in HTML format generated by the Javadoc tool was vulnerable to frame injection when hosted on a web server.

Starting in October, Java announced that its updates will be released on a quarterly basis, instead of three times a year, as part of Oracle's main Critical Patch Update. 

Amol Sarwate, director of engineering at Qualys, said: “All vulnerabilities except three can be exploited remotely by an attacker, and in most cases, the attacker can take complete control of the system. An attacker can achieve this using a variety of drive-by techniques letting a Java applet run arbitrary code outside of the Java sandbox.

“Todays CPU affects JDK and JRE versions 5, 6 and 7. We highly recommend applying these patches as soon as possible.”

Ross Barrett, senior manager of security engineering at Rapid7, said: “Of the 40 fixes in Oracle's Java SE CPU, 37 are remotely exploitable. The majority are vulnerable through browser plug-ins, 11 of which are exploitable for complete control of the underlying operating system.

“The latest versions of Java 7, 6 and 5 are all vulnerable to most of these conditions. It's highly likely that earlier versions are also vulnerable.

Java servers are affected by four of the disclosed issues, the worst of which scores a CVSS score of 7.5 out of 10 in terms of base risk.

“The recommendation here, as always, is for all users to patch as quickly as possible. There are a good number of researchers that have been credited for these fixes and it's likely that proof of concept code will be released now that patches are available.”

Share this article:

Next Article in News

SC webcasts on demand

This is how to secure data in the cloud

Exclusive video webcast & Q&A sponsored by Vormetric

As enterprises look to take advantage of the cloud, they need to understand the importance of safeguarding their confidential and sensitive data in cloud environments. With the appropriate security safeguards, such as fine-grained access policies, a move to the cloud is as, or more, secure than an on-premise data storage.

View the webcast here to find out more

More in News

Cyber security still a learning curve for most companies

Cyber security still a learning curve for most ...

Poor network visibility, outdated security tools, a skills shortage and a lack of control in the cloud are just some of the reasons companies are struggling with cyber-security, say two ...

WorldPay hacker sentenced to 11 years for role in £6 million scheme

WorldPay hacker sentenced to 11 years for role ...

An Estonian man, who helped hack payment processor RBS WorldPay in 2008, has now been sentenced to 11 years in prison for his involvement in the £5.9 (US$ 9.4 million) ...

'Sophisticated' Chinese hackers launched attacks against 43,000 computer systems

'Sophisticated' Chinese hackers launched attacks against 43,000 computer ...

A new report reveals that a Chinese cyber-espionage group is closely affiliated with government and carried out attacks against the likes of Fortune 500 companies and government agencies.