Saturday, November 28, 2015

Forget the Super Bowl. Critical Java patch released; update now

Forget the Super Bowl. Critical Java patch released; update now | ZDNet

Forget the Super Bowl. Critical Java patch released; update now | ZDNet

homeland-javacode-768x250

What's more important: the Ravens' kicking ten bells out of the 49ers, or patching a series of serious security vulnerabilities that could prevent your computer from being attacked by remotely executed code?

I know—stupid question, right?—but football aside for a moment, Oracle has issued an update to its latest Java software that plugs more than 50 security vulnerabilities, including one particularly nasty flaw that was being actively exploited in the wild.

The latest patch, Java 7 Update 13—critical updates are issued in consecutive odd numbers—was due to be released on February 19, but was pushed forward by two weeks.

In an advisory, Oracle said, "it felt that, releasing this Critical Patch Update two weeks ahead of our intended schedule, instead of releasing a one-off fix through a Security Alert, would be more effective in helping preserve the security posture of Java customers."

The enterprise software giant said that 44 of the vulnerabilities patched in the latest 'Update 13' only affect Java in Web browsers on desktops, along with one vulnerability that affected the client deployment installation process. Also patched includes three vulnerabilities that apply to client and server deployments, while the remaining two vulnerabilities only affected server deployments of the Java Secure Socket Extension (JSSE).

Oracle has also switched the security settings to "high" in the Java settings by default, which now requires users to expressly permit the execution of unsigned Java applet. This means users accessing malicious Web sites will be notified before a Java applet is run. 

The U.S. Department of Homeland Security first warned in early January of a serious flaw in Java, and said users should disable the Web plug-in immediately —a rare move for the government department. 

Then, Oracle quickly issued Java 7 Update 11. But security experts warned that it still contained a vulnerability that could allow hackers to remotely execute code on a computer. Homeland Security then reissued its warning that the updated Java software still posed risks and warned that "unless it was absolutely necessary [...] disable [Java]."

Apple also blocked Java on OS X machines when new unpatched vulnerabilities have been detected. The Cupertino, Calif.-based technology giant blocked the bug-laden Java version using the Mac in-built Xprotect anti-malware system.



^ed 

No comments:

Post a Comment