Free Republic
Browse · Search
General/Chat
Topics · Post Article

Skip to comments.

Oracle -- Patches 42 security holes -- in Java
Fudzilla ^ | Wednesday, 17 April 2013 09:33 | Nick Farrell

Posted on 04/17/2013 8:21:22 AM PDT by Ernest_at_the_Beach


Patches 42 security holes

Oracle has released a major security update for the version of Java programming language that runs inside Web browsers.

The patch fixes 42 vulnerabilities within Java, including "the vast majority" of those that have been rated as the most critical. Oracle Executive Vice President Hasan Rizvisaid that a series of big security flaws in the Java plug-in for browsers have been uncovered in the past year by researchers and hackers, and some have been used by criminal groups. One hacking campaign infected computers using Microsoft Windows and Apple software inside hundreds of companies.

Earlier this year the US Department of Homeland Security recommended that computer users disable Java in the browser. But many large companies use internal software that relies on Java and have been pressing Oracle to make the language safer.
Perhaps the most significant change will be that, in the default setting, sites will not be able to force Java applets to run in the browser unless they have been digitally signed.

Not all known problems are being fixed with the current patch, but there are no unpatched problems that are being actively exploited, Rizvi said.


TOPICS: Computers/Internet
KEYWORDS: computers; computersecurity; internet; java; malware; oracle; tech

1 posted on 04/17/2013 8:21:22 AM PDT by Ernest_at_the_Beach
[ Post Reply | Private Reply | View Replies]

To: ShadowAce
It is About time.
2 posted on 04/17/2013 8:23:20 AM PDT by Ernest_at_the_Beach ((The Global Warming Hoax was a Criminal Act....where is Al Gore?))
[ Post Reply | Private Reply | To 1 | View Replies]

To: All
May take some time for "Fixed " stuff to show in updated code.

Microsoft Windows users may be the last to see anyfixeds.

Mozilla has been pumping out updates pretty frequently.

3 posted on 04/17/2013 8:27:31 AM PDT by Ernest_at_the_Beach ((The Global Warming Hoax was a Criminal Act....where is Al Gore?))
[ Post Reply | Private Reply | To 2 | View Replies]

To: Ernest_at_the_Beach

Larry Ellison could not be reached for comment.


4 posted on 04/17/2013 8:28:22 AM PDT by nhwingut (This tagline is for lease)
[ Post Reply | Private Reply | To 1 | View Replies]

To: nhwingut
Oracle -- Patches 42 security holes -- in Java

Dashes -- we're not -- sure what -- they're for.

5 posted on 04/17/2013 8:30:40 AM PDT by SoothingDave
[ Post Reply | Private Reply | To 4 | View Replies]

To: Ernest_at_the_Beach

Does this mean I’m going to have to do 42 effing updates to the each of the 5 computers that just I use at work and home? Same ole story then...


6 posted on 04/17/2013 8:31:19 AM PDT by BreezyDog (Illegitimi non carborundum)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Ernest_at_the_Beach
But many large companies use internal software that relies on Java and have been pressing Oracle to make the language safer.

Sounds to me like they have bigger problems than java in the browser if they're worried about being hacked.

7 posted on 04/17/2013 8:31:44 AM PDT by VeniVidiVici (Obama's vision - No Job is a Good Job)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Ernest_at_the_Beach

Java - the gift that keeps on giving. I read this story out loud to a collective groan from my long-suffering IT colleagues. We just finished the month’s round of patches. Gotta do it, though.


8 posted on 04/17/2013 8:32:38 AM PDT by Billthedrill
[ Post Reply | Private Reply | To 1 | View Replies]

To: Ernest_at_the_Beach

Since the warning I have had Java turned off - except for one work app.

I have a dedicated browser that only goes to a dedicated site that is behind a firewall. This app is mission critical to my job and there is no doing without it. But on the other hand I’m probably never going to use Java out “in the wild” on the interwebs ever again. Fixes or no fixes.


9 posted on 04/17/2013 8:33:26 AM PDT by 2 Kool 2 Be 4-Gotten
[ Post Reply | Private Reply | To 1 | View Replies]

To: BreezyDog

No. It means that you if so choose when you next upgrade Java you’ll get fixes for 42 issues - according to this.


10 posted on 04/17/2013 8:34:27 AM PDT by 2 Kool 2 Be 4-Gotten
[ Post Reply | Private Reply | To 6 | View Replies]

To: rdb3; Calvinist_Dark_Lord; Salo; JosephW; Only1choice____Freedom; amigatec; stylin_geek; ...

11 posted on 04/17/2013 8:35:12 AM PDT by ShadowAce (Linux -- The Ultimate Windows Service Pack)
[ Post Reply | Private Reply | To 1 | View Replies]

To: SoothingDave

Well, it’s entirely, possible, that they, ran out, of commas.


12 posted on 04/17/2013 8:38:55 AM PDT by Billthedrill
[ Post Reply | Private Reply | To 5 | View Replies]

To: Ernest_at_the_Beach

Once again proving that running code in a sandbox doesn’t help if the sandbox is poorly written or designed.


13 posted on 04/17/2013 8:45:01 AM PDT by BinaryBoy (Socialism is slavery)
[ Post Reply | Private Reply | To 1 | View Replies]

To: 2 Kool 2 Be 4-Gotten

Correct.


14 posted on 04/17/2013 8:55:08 AM PDT by Signalman
[ Post Reply | Private Reply | To 10 | View Replies]

To: Ernest_at_the_Beach

The post doesn’t say what the new version number is for the JRE


15 posted on 04/17/2013 9:02:12 AM PDT by ShadowAce (Linux -- The Ultimate Windows Service Pack)
[ Post Reply | Private Reply | To 1 | View Replies]

To: ShadowAce

Fudzilla is not big on details.


16 posted on 04/17/2013 9:36:39 AM PDT by Ernest_at_the_Beach ((The Global Warming Hoax was a Criminal Act....where is Al Gore?))
[ Post Reply | Private Reply | To 15 | View Replies]

To: SoothingDave

Shatner has a new gig writing copy.


17 posted on 04/17/2013 9:36:53 AM PDT by Trod Upon (Every penny given to film and TV media companies goes right into enemy coffers. Starve them out!)
[ Post Reply | Private Reply | To 5 | View Replies]

To: ShadowAce
Google turned this up from February:

Updated Release of the February 2013 Oracle Java SE Critical Patch Update

*********************************************************************

***********************************************************

The Register has Info:

Oracle slaps critical patch on insecure Java

************************************************************

Tries to educate users about potential dangers of in-browser Java apps

By Jack Clark in San FranciscoGet more from this author

Posted in Security, 17th April 2013 00:17 GMT

Free whitepaper – IT infrastructure monitoring strategies

Oracle has issued a critical update patch for Java as the database giant works to shore up confidence in the widely used code.

The security update fixes 42 security flaws, 19 of which merit a 10 (most severe) rating acording to the CVVS metric the company uses to evaluate the software. Along with this, Oracle has also sought to give users more information about the Java apps that want to execute code within the browser.

The patch comes at a time when many security pros are questioning the value of Java, with many seeing its presence in user's browsers as a liability rather than a benefit.

Of the 42 security flaws patched by Oracle in April, 39 of them "may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password," Oracle wrote in the patch notes.

The most severe vulnerabilities exploit problems in the 2D, Deployment, Hotspot, Install, JAXP, JavaFX, RMI, Libraries and Beans sub-components of the Java runtime environment.

The majority of these exploits apply to client Java deployments, and can only be exploited through untrusted Java Web Start applications, and untrusted applets.

The vulnerabilities affect JDK and JRE 5.0, 6 and 7, along with JavaFX 2.2.7. "Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible," the company said.

Alongside the patch fixes, Oracle is also rolling out an update (Java 7 Update 21) that lets the plugin more clearly telegraph to users when it could potentially be dangerous to let Java code be executed in their browsers (not all the time? – Ed).

Low-risk apps will cause a simple message to be displayed, while high-risk apps will be indicated by either an exclamation mark within a yellow triangle (applications with untrusted or expired certificates), or a yellow shield (applications with unsigned and/or invalid certificates)

This patch follows a rather insecure three months for Java: In January, Oracle admitted that Java's security was less than perfect, saying at the time that its grand plan for Java security was to fix it and communicate its security efforts more widely.

In February, a zero day flaw in Java was exploited to let unscrupulous types gnaw at the innards of major companies like Apple, Facebook, and Microsoft. In March, Oracle was forced to issue another emergency patch to deal with another zero day.

We can only wonder what May could bring... ®


18 posted on 04/17/2013 9:43:02 AM PDT by Ernest_at_the_Beach ((The Global Warming Hoax was a Criminal Act....where is Al Gore?))
[ Post Reply | Private Reply | To 15 | View Replies]

To: Ernest_at_the_Beach

I removed Java from all the family PC’s. Haven’t had any complaints.


19 posted on 04/17/2013 9:44:42 AM PDT by RightGeek (FUBO and the donkey you rode in on)
[ Post Reply | Private Reply | To 1 | View Replies]

To: ShadowAce
I don't see an issue date on this ,...mentioned in the article from Register just above but...here is a direct link:

Java™ SE Development Kit 7, Update 21 (JDK 7u21)

20 posted on 04/17/2013 9:51:13 AM PDT by Ernest_at_the_Beach ((The Global Warming Hoax was a Criminal Act....where is Al Gore?))
[ Post Reply | Private Reply | To 15 | View Replies]

To: Ernest_at_the_Beach
JUST ANOTHER VULNERABILITY ANNOUNCEMENT
21 posted on 04/17/2013 9:58:28 AM PDT by martin_fierro (< |:)~)
[ Post Reply | Private Reply | To 1 | View Replies]

To: martin_fierro; ShadowAce
There is this :

Java SE 7u21

******************************

Oracle does not show a date on these things....

22 posted on 04/17/2013 10:07:55 AM PDT by Ernest_at_the_Beach ((The Global Warming Hoax was a Criminal Act....where is Al Gore?))
[ Post Reply | Private Reply | To 21 | View Replies]

To: Billthedrill

See #22.


23 posted on 04/17/2013 10:08:54 AM PDT by Ernest_at_the_Beach ((The Global Warming Hoax was a Criminal Act....where is Al Gore?))
[ Post Reply | Private Reply | To 8 | View Replies]

To: Ernest_at_the_Beach

Many thanks. Crikey! I’m at u17. BTT.


24 posted on 04/17/2013 10:11:10 AM PDT by Billthedrill
[ Post Reply | Private Reply | To 22 | View Replies]

To: Ernest_at_the_Beach

Yeah—that’s the version I just updated to


25 posted on 04/17/2013 10:19:53 AM PDT by ShadowAce (Linux -- The Ultimate Windows Service Pack)
[ Post Reply | Private Reply | To 22 | View Replies]

To: ShadowAce

Wonderful..... ANOTHER Java update......

/puke


26 posted on 04/17/2013 10:35:28 AM PDT by KoRn (Department of Homeland Security, Certified - "Right Wing Extremist")
[ Post Reply | Private Reply | To 11 | View Replies]

To: Ernest_at_the_Beach

Thanks for the link ErnestATB, I just freaking upgraded my java in my work VM. Time to do it again.


27 posted on 04/17/2013 10:45:50 AM PDT by zeugma (Those of us who work for a living are outnumbered by those who vote for a living.)
[ Post Reply | Private Reply | To 20 | View Replies]

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
General/Chat
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson