Oracle Issues Massive Java Update Early


Oracle issued an out-of-band security update to Java, repairing a slew of vulnerabilities in the software, including a zero-day flaw that has been actively exploited by attackers.

The emergency Java SE security fixes comes two weeks before Oracle's regularly scheduled round of updates. The Oracle Java critical patch update contains fixes for 50 vulnerabilities, 49 of which are remotely exploitable.

Oracle accelerated the release of the patch update because of the "active exploitation in the wild" of one of the vulnerabilities affecting the Java Runtime Environment in desktop browsers, the company said in its advisory issued late Friday.

[Related: Black Hole, Phoenix Attack Kits Target Older Flaws]

The update affects all currently supported editions of the Java Runtime Environment. The bulk of the vulnerabilities, 44 of them, can be exploited on desktops through Java Web Start applications or Java applets, said Eric Maurice, software security assurance director at Oracle. Maurice wrote in the company's blog that the company switched the Java security settings to "high" by default for the Java Runtime Environment running in the browser.

"The popularity of the Java Runtime Environment in desktop browsers, and the fact that Java in browsers is OS-independent, makes Java an attractive target for malicious hackers," Maurice wrote. "Oracle felt that releasing this Critical Patch Update two weeks ahead of our intended schedule, instead of releasing a one-off fix through a Security Alert, would be more effective in helping preserve the security posture of Java customers."

Oracle also rushed out a security update Jan. 13, repairing a Java zero-day vulnerability that was being actively targeted by attackers.

Ongoing attacks targeting Java have prompted calls from some security firms to remove the software from systems where it is not needed. The United States Computer Emergency Readiness Team (US-CERT) issued an advisory recommending disabling Java in Web browsers because of the prevalence of attacks. The organization reiterated that point in an advisory issued for the latest Java security update.

"Starting with Java 7 Update 10, it is possible to disable Java content in Web browsers through the Java control panel applet," US-CERT said. "Network administrators unable to disable Java in Web browsers may be able to help mitigate this and other Java vulnerabilities by restricting access to Java applets."

Many of the attacks targeting Java are being driven by automated attack toolkits. Black Hole, Eleonore and Phoenix are among the most popular attack platforms, sold in underground forums with a license giving cybercriminals updates providing exploits to some of the latest vulnerabilities. A recent study by Omaha, Neb.-based managed security services provider Solutionary found that the kits are good at targeting older vulnerabilities. The company said organizations often have poor patch management programs and fail to deploy patches altogether.

PUBLISHED FEB. 4, 2013