Oracle releases mega security patch for Java

Oracle releases major security update for the version of Java that runs inside web browsers in an attempt to halt ongoing hacker attacks

In an attempt to halt ongoing hacker attacks, Oracle has released a major security update for the version of Java programming language that runs inside web browsers.

The security update is aimed at fixing 42 vulnerabilities within Java, including "the vast majority" of those that have been rated as the most critical, said Oracle executive vice-president Hasan Rizvi.

The update also addresses the vulnerabilities found during the PWN2OWN competition at CanSecWest in Vancouver in March, where Java was exploited by three different security researchers.

The move comes amid pressure from businesses that rely on Java after the US Department of Homeland Security recommended that computer users disable Java in the browser, said reports.

Many businesses are migrating away from Java due to the level of vulnerabilities in the Java Runtime Environment (JRE), according to Veracode’s latest State of Software Security report.

“Lots of enterprises are transitioning out of Java. There are lots of zero-day vulnerabilities, almost all of which allow malicious code execution,” said Chris Eng, vice-president of research at Veracode.


In the past year, researchers and hackers have uncovered a series of security vulnerabilities in the Java plug-in for browsers that have often been exploited by cyber criminals.

One of the biggest changes introduced by the security update is that websites will not be able to force Java applets to run in the browser if they are not digitally signed.

Users will be able to override the default setting by acknowledging the risk.

Last year, Java surpassed Adobe Systems' Reader software as the most frequently attacked piece of software, according to security firm Kaspersky Lab.

In 2011, the most frequently exploited application was Adobe Reader, which was responsible for 35% of all exploit-related incidents. Java occupied the second place with 25%.

In 2012, cybercriminals switched their primary focus to Java. While Adobe Reader was attacked in 28% of security incidents involving vulnerability exploits, Java security holes were responsible for 50% of attacks.

Oracle has also released its regular Critical Patch Update (CPU) that addresses all other Oracle products.

Overall, the April 2013 CPU fixes over 120 vulnerabilities in 13 product groups. 

Wolfgang Kandek, CTO of security firm Qualys said an accurate map of installed software will be crucial in applying these patches due to the large number of products covered.

“We recommend starting with internet-exposed services first, and then moving by the CVSS scores attached to the vulnerability,” he said.

Read more on Hackers and cybercrime prevention