Oracle Releases Java Critical Patch Updates
Oracle Releases Java Critical Patch Updates
Written by Kay Ewbank   
Thursday, 18 April 2013

Two new major security updates have been issued by Oracle for Java for Mac OS and the Windows browser plug-in, each fixing a large number of severe vulnerabilities.

Both Critical Patch updates were released on Tuesday April 16th, i.e. in accordance with the regular schedule, but they fix a surprisingly large number of vulnerabilities - 42 in the case of the Windows browser update, and 21 for the Mac.

In the Oracle Security Assurance blog, Eric Maurice said that 39 of the vulnerabilities fixed in April's Critical Patch Update are remotely exploitable without authentication. He also said that the maximum CVSS Base Score (Common Vulnerability Scoring System) of  10.0 affected 19 of these vulnerabilities. 10 is the maximum score on the (CVSS).

Maurice said that only two of the 42 vulnerabilities can affect server deployments of Java. Server exploitation can only occur as a result of these bugs when malicious data is supplied into specific APIs on the server (e.g., through a web service), and one of these bugs actually require local access to be exploited.

The fact that the vulnerabilities are remotely exploitation without authentication means that if a user visits a compromised or malicious website, the attacker can run code on your machine. A recent report by F-Secure, the Finnish security company, highlighted a market increase in the use of botnets, exploits and banking Trojans for money-making attacks during the second half of 2012. The H2 Threat Report said that a particular threat was posed by exploits against the Java development platform:

"Three things visibly stand out in this past half year: botnets (with special reference to ZeroAccess), exploits (particularly against the Java development platform) and banking Trojans (Zeus)."

The security patch for Windows is available from the Oracle Java SE Downloads page. Apple maintains Java for Mac OS and its patch, Java for OX X 2013-003, is available from the Apple Download center.


More Information

Oracle Java SE Critical Patch Update Advisory - April 2013

H2 Threat Report

Related Articles

Oracle Patches 86 Flaws in Database and Enterprise Products

Java Still Insecure Warns Homeland Security

Java Is Top Attack Target

 

To be informed about new articles on I Programmer, install the I Programmer Toolbar, subscribe to the RSS feed, follow us on, Twitter, Facebook, Google+ or Linkedin,  or sign up for our weekly newsletter.

 

 
 

 

blog comments powered by Disqus

 

Banner


Countdown to Xmas with Santa Tracker
03/12/2017

Santa Trackers, from Norad and Google have become part of the Christmas tradition and both of them have now started their countdown to Christmas Eve when Santa takes off from the North Pole to deliver [ ... ]



TensorFlow Incorporates Keras
10/11/2017

There's a new version of Google TensorFlow with Keras included as part of the core API.


More News

 

Last Updated ( Thursday, 18 April 2013 )
 
 

   
Banner
Banner
RSS feed of news items only
I Programmer News
Copyright © 2017 i-programmer.info. All Rights Reserved.
Joomla! is Free Software released under the GNU/GPL License.