Oracle rushes out another Java update

Oracle has rushed out another security update for Java in the wake of a flawed update released in January.

That update was also rushed out because one of the vulnerabilities – CVE-2013-0422 – was being exploited in the wild and had been added to the Blackhole and Nuclear Pack exploit kits.

Download this free guide

3 key web security guidelines from FS-ISAC

We address the ongoing issues regarding web security for businesses relying on an online presence. Download this e-guide and discover how to identify and address overlooked web security vulnerabilities as well as why you should look at the full security development lifecycle to reduce web threats.

Start Download

• Corporate E-mail Address:

  You forgot to provide an Email Address.

  This email address doesn’t appear to be valid.

  This email address is already registered. Please login.

  You have exceeded the maximum character limit.

  Please provide a Corporate E-mail Address.

• • I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.

  Please check the box if you want to proceed.

• • I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.

  Please check the box if you want to proceed.

By submitting my Email address I confirm that I have read and accepted the Terms of Use and Declaration of Consent.

The latest update comes two weeks ahead of schedule and is aimed at fixing 50 vulnerabilities, most of which are exploitable remotely without needing a username and password.

Like the January update, Oracle said the latest update had been released ahead of schedule because of reports that one of the vulnerabilities covered by the update is already being exploited by attackers.

"Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU [critical patch update] fixes as soon as possible," the company said in an update advisory.

Until the CPU fixes are applied, Oracle said there were two workarounds to reduce the risk of a successful attack.

One is to restrict network protocols required by an attack, and the other, for attacks that require certain privileges or access to certain packages, is to remove the privileges or the ability to access the packages from unprivileged users.

“Both approaches may break application functionality, so Oracle strongly recommends that customers test changes on non-production systems. Neither approach should be considered a long-term solution as neither corrects the underlying problem,” the advisory said.