Oracle Issues 51 Java Security Fixes, 12 of Them Critical
Oracle has released a quarterly Critical Patch Update carrying 127 security
fixes for its products, including no less than 51 for Java, which remains not only one of the most popular installations but also one of the most popular for malware mischief makers and thieves looking to seize control of desktops and laptops.
A Critical Patch Update is a quarterly collection of patches for multiple security vulnerabilities.
"Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply [the] fixes as soon as possible," the company said.
Out of all the products addressed in the package Tuesday, Java is easily recognized as one of the most widely installed programs. The appeal of Java for programmers is credited to its ease of use -- software written with it can easily be made to run on many different types of computers -- and vast libraries. Java, according to Oracle, is a widely installed and powerful programming language, with 97 percent of enterprise desktops running Java, and 89 percent of desktops in the U.S. running it, too.
Applause for Earlier Arrivals
For businesses and consumers alike, Oracle's move to include Java fixes as part of the entire package of normal Oracle updates is a good sign, as it indicates Oracle's move to increase the frequency of Java security releases. This is the first time Oracle is patching Java on the same quarterly cycle as other products. Oracle's next quarterly patch update is scheduled for mid-January.
Security watchers this week took the opportunity to roll out their standard advice for business and consumer users who have Java installed: If you need it, be sure to heed the updates and stay current. If you don't need Java, disable it and walk away from the hungry tricksters looking for Java holes.
Out of the 51 vulnerabilities, 12 have the highest CVSSv2 score of 10, blogged Wolfgang Kandek, CTO at Qualys, a security solutions company based in Redwood City, Calif. By CVSS, Kandek was referring to the Common Vulnerability Scoring System, a universal and standardized method for rating IT vulnerabilities.
"Let's start with Java, as it is widely installed and widely attacked; it should be on the top of your patch list for today. The update addresses 51 vulnerabilities, with 12 vulnerabilities having the highest CVSSv2 score of 10, indicating that these vulnerabilities can be used to take full control over the attacked machine over the network without requiring authentication," he wrote.
A Few Worthwhile Minutes
Most of the vulnerabilities are on the Java client side but Kandek took note of two critical vulnerabilities that apply to server installations, CVE-2013-5782 and CVE-2013-5830.
"A new version is Java 7 update 45, and you should update as quickly as possible on your desktop and laptop machines." Kandek advised.
Security blogger Brian Krebs also said that if people needed to run Java, it was worth taking time to apply the update.