Oracle has released a Critical Patch Update for Java SE over two weeks ahead of schedule, in order to deliver security fixes for over 50 vulnerabilities.
Responding to the pressure it has faced to improve the security of Java in the browser, Oracle has released Java SE 7 Update 13 (J7u13), apparently bypassing Update 12.
The next Critical Patch Update (CPU) was originally scheduled to be releases on February 19th but, according to Oracle's Director of Software Security Assurance, Eric Maurice, it was brought forward to February 1st because of:
active exploitation “in the wild” of one of the vulnerabilities affecting the Java Runtime Environment (JRE) in desktop browsers.
Forty seven of the 58 vulnerabilities addressed in this CPU affect the Java Runtime Environment (JRE). Of these 26 have a score of 10.0, the maximum possible on the Common Vulnerability Scoring System (CVSS v2), with 23 being client-side vulnerabilities, and 3 applying to both client and server deployments. In total 44 of the vulnerabilities only affect client deployment of Java (e.g., Java in Internet browsers).
The patch also had fixes for 11 vulnerabilities in Java FX, 8 of which CVSS scores of 10.0.
Oracle currently has its work cut out to combat security flaws. In January it issued a security alert in relation to problems discovered with web browsers. In addition January's CPU, which covered a total of 86 issues mainly relating to database products, tackled two vulnerabilities in the JRE with CVSS scores of 10.0 by issuing Java SE 7 Update 11 (J7u11). This, however, wasn't enough to allay the fears of the U.S. Department of Homeland Security which advised:
Unless it is absolutely necessary to run Java in web browsers, disable it ... even after updating to 7u11. This will help mitigate other Java vulnerabilities that may be discovered in the future.
According to Maurice:
The popularity of the Java Runtime Environment in desktop browsers, and the fact that Java in browsers is OS-independent, makes Java an attractive target for malicious hackers.
He also points out that Oracle is not only concerned to fix the problem and has been working fast, and will continue to work fast, to do so:
After receiving reports of a vulnerability in the Java Runtime Environment (JRE) in desktop browsers, Oracle quickly confirmed these reports, and then proceeded with accelerating normal release testing around the upcoming Critical Patch Update distribution, which already contained a fix for the issue.
The size of this Critical Patch Update, as well as its early publication, demonstrate Oracle’s intention to accelerate the release of Java fixes, particularly to help address the security worthiness of the Java Runtime Environment (JRE) in desktop browsers.
It is good that Oracle has moved so quickly and is showing a degree of concern over the security of Java but this is as much a matter of image as substance. Currently Java on the client is under attack and users who switch Java off in the browser are unlikely to switch it back on again any time time soon. Java has never been as big a hit on the client side as it has on the server side, but Oracle's attempt with JavaFX to give it a new lease of life is being battered by security fears.
At the moment would you opt to use an Applet, Web Start app or even a JavaFX for a new project?