This site uses cookies. By continuing to browse this site you are agreeing to our use of cookies. Find out more.X

Oracle releases critical fixes for Java

Share this article:
Apple patches Java flaw
Apple patches Java flaw

Oracle has released version SE 7, Update 25 as its latest update for Java.

The update addresses 40 vulnerabilities in the software, which include 37 flaws that can be remotely exploited without authentication. In addition, 11 of the bugs received the highest common vulnerability scoring system (CVSS) rating of 10.0 due to their significant threat level to users.

Brian Gorenc, manager of HP Security Research's zero-day initiative team, said that ten of the high-risk vulnerabilities were discovered by the company and included flaws covering "a wide spectrum of software weaknesses" including sandbox bypasses and heap-based buffer overflows.

“These specific vulnerability types can be leveraged by attackers to compromise machines and execute arbitrary code,” Gorenc told SC Magazine US.

“With most of these issues originally reported by [us] in early April, Oracle seems to be reacting quickly to high-severity vulnerabilities. We look forward to seeing this trend continue.”

Oracle posted an advisory to its site on Tuesday that highlighted a fix in its Javadoc tool, which is used for generating application programming interface (API) documentation in HTML format. Prior to the patch, API documentation in HTML format generated by the Javadoc tool was vulnerable to frame injection when hosted on a web server.

Starting in October, Java announced that its updates will be released on a quarterly basis, instead of three times a year, as part of Oracle's main Critical Patch Update. 

Amol Sarwate, director of engineering at Qualys, said: “All vulnerabilities except three can be exploited remotely by an attacker, and in most cases, the attacker can take complete control of the system. An attacker can achieve this using a variety of drive-by techniques letting a Java applet run arbitrary code outside of the Java sandbox.

“Todays CPU affects JDK and JRE versions 5, 6 and 7. We highly recommend applying these patches as soon as possible.”

Ross Barrett, senior manager of security engineering at Rapid7, said: “Of the 40 fixes in Oracle's Java SE CPU, 37 are remotely exploitable. The majority are vulnerable through browser plug-ins, 11 of which are exploitable for complete control of the underlying operating system.

“The latest versions of Java 7, 6 and 5 are all vulnerable to most of these conditions. It's highly likely that earlier versions are also vulnerable.

Java servers are affected by four of the disclosed issues, the worst of which scores a CVSS score of 7.5 out of 10 in terms of base risk.

“The recommendation here, as always, is for all users to patch as quickly as possible. There are a good number of researchers that have been credited for these fixes and it's likely that proof of concept code will be released now that patches are available.”

Share this article:
close

Next Article in News

SC webcasts on demand

This is how to secure data in the cloud


Exclusive video webcast & Q&A sponsored by Vormetric


As enterprises look to take advantage of the cloud, they need to understand the importance of safeguarding their confidential and sensitive data in cloud environments. With the appropriate security safeguards, such as fine-grained access policies, a move to the cloud is as, or more, secure than an on-premise data storage.


View the webcast here to find out more

More in News

Microsoft warns on yet another zero-day security flaw

Microsoft warns on yet another zero-day security flaw

Microsoft has warned Windows users about a zero-day security issue with malicious PowerPoint documents being emailed to recipients. The software giant is working on a patch for the problem.

Google launches FIDO-compliant 2FA USB key for Chrome and Gmail

Google launches FIDO-compliant 2FA USB key for Chrome ...

Google has souped up its two-factor authentication (2FA) login process with the launch of Security Key, a physical USB that only works after verifying the login site is truly a ...

Evolving TorrentLocker ransomware generating big money

Evolving TorrentLocker ransomware generating big money

The TorrentLocker ransomware has returned with a vengeance and is starting to bring in big money for its operators.