In an attempt to halt ongoing hacker attacks, Oracle has released a major security update for the version of Java programming language that runs inside web browsers.
The security update is aimed at fixing 42 vulnerabilities within Java, including "the vast majority" of those that have been rated as the most critical, said Oracle executive vice-president Hasan Rizvi.
The update also addresses the vulnerabilities found during the PWN2OWN competition at CanSecWest in Vancouver in March, where Java was exploited by three different security researchers.
Many businesses are migrating away from Java due to the level of vulnerabilities in the Java Runtime Environment (JRE), according to Veracode’s latest State of Software Security report.
“Lots of enterprises are transitioning out of Java. There are lots of zero-day vulnerabilities, almost all of which allow malicious code execution,” said Chris Eng, vice-president of research at Veracode.
READ MORE ON JAVA SECURITY:
- How to secure Java amid growing Java security vulnerabilities
- Java security problems: Is disabling Java the answer?
- Java zero-day vulnerability hits Metasploit and Blackhole
- Security researchers spot new zero-day Java vulnerability
- Java malware, fileless malware pose threats to desktop security
- Consider disabling Java as malware targets JRE vulnerabilities
In the past year, researchers and hackers have uncovered a series of security vulnerabilities in the Java plug-in for browsers that have often been exploited by cyber criminals.
One of the biggest changes introduced by the security update is that websites will not be able to force Java applets to run in the browser if they are not digitally signed.
Users will be able to override the default setting by acknowledging the risk.
Last year, Java surpassed Adobe Systems' Reader software as the most frequently attacked piece of software, according to security firm Kaspersky Lab.
In 2011, the most frequently exploited application was Adobe Reader, which was responsible for 35% of all exploit-related incidents. Java occupied the second place with 25%.
In 2012, cybercriminals switched their primary focus to Java. While Adobe Reader was attacked in 28% of security incidents involving vulnerability exploits, Java security holes were responsible for 50% of attacks.
Oracle has also released its regular Critical Patch Update (CPU) that addresses all other Oracle products.
Overall, the April 2013 CPU fixes over 120 vulnerabilities in 13 product groups.
Wolfgang Kandek, CTO of security firm Qualys said an accurate map of installed software will be crucial in applying these patches due to the large number of products covered.
“We recommend starting with internet-exposed services first, and then moving by the CVSS scores attached to the vulnerability,” he said.