Oracle Fights Back On Java Security
Written by Alex Armstrong   
Tuesday, 05 February 2013

Oracle has released a Critical Patch Update for Java SE over  two weeks ahead of schedule, in order to deliver security fixes for over 50 vulnerabilities.

Responding to the pressure it has faced to improve the security of Java in the browser, Oracle has released Java SE 7 Update 13 (J7u13), apparently bypassing Update 12.

The next Critical Patch Update (CPU) was originally scheduled to be releases on February 19th but, according to Oracle's Director of Software Security Assurance, Eric Maurice,  it was brought forward to February 1st because of:

active exploitation “in the wild” of one of the vulnerabilities affecting the Java Runtime Environment (JRE) in desktop browsers.

Forty seven of the 58 vulnerabilities addressed in this CPU affect the Java Runtime Environment (JRE). Of these  26 have a score of 10.0, the maximum possible on the Common Vulnerability Scoring System (CVSS v2), with 23 being client-side vulnerabilities, and 3 applying to both client and server deployments. In total   44 of the vulnerabilities only affect client deployment of Java (e.g., Java in Internet browsers).

The patch also had fixes for 11 vulnerabilities in Java FX, 8 of which CVSS scores of 10.0. 

Oracle currently has its work cut out to combat security flaws. In January it issued a security alert in relation to problems discovered with web browsers. In addition January's CPU, which covered a total of 86 issues mainly relating to database products, tackled two vulnerabilities in the JRE with CVSS scores of 10.0 by issuing Java SE 7 Update 11 (J7u11). This, however, wasn't enough to allay the fears of the U.S. Department of Homeland Security which advised:

Unless it is absolutely necessary to run Java in web browsers, disable it ... even after updating to 7u11. This will help mitigate other Java vulnerabilities that may be discovered in the future.

According to Maurice:

The popularity of the Java Runtime Environment in desktop browsers, and the fact that Java in browsers is OS-independent, makes Java an attractive target for malicious hackers.

He also points out that Oracle is not only concerned to fix the problem and has been working fast, and will continue to work fast, to do so:

After receiving reports of a vulnerability in the Java Runtime Environment (JRE) in desktop browsers, Oracle quickly confirmed these reports, and then proceeded with accelerating normal release testing around the upcoming Critical Patch Update distribution, which already contained a fix for the issue. 

The size of this Critical Patch Update, as well as its early publication, demonstrate Oracle’s intention to accelerate the release of Java fixes, particularly to help address the security worthiness of the Java Runtime Environment (JRE) in desktop browsers.

 

javawarning

 

It is good that Oracle has moved so quickly and is showing a degree of concern over the security of Java but this is as much a matter of image as substance. Currently Java on the client is under attack and users who switch Java off in the browser are unlikely to switch it back on again any time time soon. Java has never been as big a hit on the client side as it has on the server side, but Oracle's attempt with JavaFX to give it a new lease of life is being battered by security fears.

At the moment would you opt to use an Applet, Web Start app or even a JavaFX for a new project?

 


 

More Information

Oracle Java SE Critical Patch Update Advisory - February 2013

The Oracle Software Security Assurance Blog 

Common Vulnerability Scoring System (CVSS v2) 

Related Articles

Java Still Insecure Warns Homeland Security

Oracle Patches 86 Flaws in Database and Enterprise Products

Java Is Top Attack Target
Strong Uptake of Java 7

 

To be informed about new articles on I Programmer, install the I Programmer Toolbar, subscribe to the RSS feed, follow us on, Twitter, Facebook, Google+ or Linkedin,  or sign up for our weekly newsletter.

 

espbook

 

Comments




or email your comment to: comments@i-programmer.info

 

Banner


OpenAI Library For .NET Exits Beta
19/11/2024

A few months ago the OpenAI .NET library was released as a beta. It has now reached version 2.0.0 and the time has come to leave beta and, with a few amendments enter production readiness.



Raspberry Pi CM5 - Expensive And Undocumented
27/11/2024

So the unexpected has happened - the Compute Module 5 has been launched. But it simply emphasises some problems with adopting the Pi as an IoT device.


More News

Last Updated ( Tuesday, 05 February 2013 )