Java Critical Patch Update Released
February 2, 2013

Oracle Releases February Java Update Early To Fix Vulnerabilities

redOrbit Staff & Wire Reports - Your Universe Online

In response to ongoing security issues surrounding their Java software, Oracle released a new update for the product on Friday — more than two weeks ahead of schedule.

“The original Critical Patch Update for Java SE — February 2013 was scheduled to be released on February 19th, but Oracle decided to accelerate the release of this Critical Patch Update because active exploitation ℠in the wild´ of one of the vulnerabilities affecting the Java Runtime Environment (JRE) in desktop browsers, was addressed with this Critical Patch Update,” the company said in a statement.

According to Computerworld Defensive Computing Columnist Michael Horowitz, the new update comes just two weeks after the release of the last Java patch, and reportedly fixes 44 vulnerabilities associated with the use of Java programs embedded in web pages.

In addition, Update 13 for Java 7 and Update 39 for Java 6 also include six other security fixes as well as other bug-corrections, Horowitz added. He advises those who need Java to update as soon as they possibly can, and warns those using the software on Windows based systems to completely uninstall and reinstall Java rather than simply performing the update. Horowitz also advises against the use of 64-bit editions of Java.

“This Critical Patch Update is consistent with previous Java security releases, in that most of the vulnerabilities addressed in this Critical Patch Update only affect Java and Java FX client deployments,” Oracle´s Eric Maurice explained in a Friday blog post. “This reflects the fact that the Java server environment is more secure than the Java Runtime Environment in browsers because servers operate in a more secure and controlled environment.”

“Furthermore, to help mitigate the threat of malicious applets (Java exploits in internet browsers), Oracle has switched the Java security settings to ℠high´ by default,” he added. “The ℠high´ security setting requires users to expressly authorize the execution of unsigned applets allowing a browser user to deny execution of a suspicious applet (where in the past a suspicious applet could execute ℠silently´). As a result, unsuspecting users visiting malicious web sites will be notified before an applet is run and will gain the ability to deny the execution of the potentially malicious applet. “

Maurice also touted the recently introduced feature that allows Windows users to quickly and easily disable the software in their web browsers by using the Java Control Panel. The early release of the update was in response to reports of the Java Runtime Environment (JRE) vulnerability in desktop web surfing software.

“Oracle felt that, releasing this Critical Patch Update two weeks ahead of our intended schedule, instead of releasing a one-off fix through a Security Alert, would be more effective in helping preserve the security posture of Java customers,” he explained. “The size of this Critical Patch Update, as well as its early publication, demonstrate Oracle´s intention to accelerate the release of Java fixes, particularly to help address the security worthiness of the Java Runtime Environment (JRE) in desktop browsers.”

The previous version of Java 7, which was released on January 13, was designed to block a zero-day vulnerability that had been “weaponized” and packaged with a variety of different hacking toolkits, reported John Leyden of The Register.

The security issues had generated a considerable amount of unwanted publicity, including from the US Department of Homeland Security, who dubbed the software a weak target in browsers, he said.

“Several antivirus firms, including F-Secure and Sophos, advised users to disable Java plugins for their main browser to minimize exposure to future attacks,” Leyden continued. “Metasploit founder HD Moore warned Oracle was still sitting on a backlog of Java flaws that will take up to two years to patch, even without the discovery of new flaws.”

“Oracle clearly doesn't care much for this advice or observations. However the facts of the matter have limited it to stating that the vulnerability was limited to Java on the browser,” he added. “It pointed out that server-side Java, desktop Java and embedded Java are immune from recent attacks, which broke the security seals on browser plugins and compromised victims' computers.”