Oracle rushes out another Java update
Oracle has rushed out another security update for Java in the wake of a flawed update released in January
Oracle has rushed out another security update for Java in the wake of a flawed update released in January.
That update was also rushed out because one of the vulnerabilities – CVE-2013-0422 – was being exploited in the wild and had been added to the Blackhole and Nuclear Pack exploit kits.
The latest update comes two weeks ahead of schedule and is aimed at fixing 50 vulnerabilities, most of which are exploitable remotely without needing a username and password.
Like the January update, Oracle said the latest update had been released ahead of schedule because of reports that one of the vulnerabilities covered by the update is already being exploited by attackers.
"Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU [critical patch update] fixes as soon as possible," the company said in an update advisory.
Read more on Java security
- How to secure Java amid growing Java security vulnerabilities
- Java security problems: Is disabling Java the answer?
- Java zero-day vulnerability hits Metasploit and Blackhole
- Security researchers spot new zero-day Java vulnerability
- Java malware, fileless malware pose threats to desktop security
- Consider disabling Java as malware targets JRE vulnerabilities
Until the CPU fixes are applied, Oracle said there were two workarounds to reduce the risk of a successful attack.
One is to restrict network protocols required by an attack, and the other, for attacks that require certain privileges or access to certain packages, is to remove the privileges or the ability to access the packages from unprivileged users.
“Both approaches may break application functionality, so Oracle strongly recommends that customers test changes on non-production systems. Neither approach should be considered a long-term solution as neither corrects the underlying problem,” the advisory said.