Oracle releases out of the blue out of cycle fixes for Java

Out of nowhere Oracle has released an emergency update to address the zero-day vulnerabilities being exploited by many different criminal groups.

Surprisingly they included some previously unknown vulnerabilities that we can only assume may also have been in use in the wild.

The good news is customers who require Java in their environments can now deploy an official fix and proceed with less risk, the bad news is one of the fixes they shipped out affects Java 6, so everyone needs to patch not just those who were running Java 7.

Oracle officially fixed four CVEs, presumably covering five vulnerabilities. It appears that CVE 2012-4681 was actually two vulnerabilities, so it is difficult to tell for sure if they patched four or five flaws.

The first three only affect Java 7 and all have a CVSS score of 10, meaning they are remotely exploitable and result in code execution. That’s as bad as it gets folks.

The fourth affects both Java 6 and Java 7, but in and of itself does not result in code execution. Oracle have not stated precisely what kind of flaw it is, but based on its description it sounds like a privilege escalation vulnerability.

The fact that Oracle included this fourth vulnerability implies that they are seeing it used in conjunction with other vulnerabilities in the wild and you would be strongly encouraged to apply the fix right away.

The bigger question is do you really need Java? If you can get by without it, you should. That is true for any application that interfaces with the internet. Less programs = less vulnerabilities.

Unfortunately many organizations do require Java, but sometimes there are alternatives. All you need to do is ask.

I tweeted complaining about Java requirements to @GoToMeeting yesterday and they responded with “We’re in the process of replacing Java currently. On Windows you can always select the manual DL after disabling Java”. Excellent.

That is all of the info I have for now as Oracle’s web servers are currently returning an Apache error when I try to pull up the support document. I will update this article as appropriate with any further patch details when they are available.

Don’t wait for your auto update program to trigger, download Java 7 Update 7or Java 6 update 35 now.

This entry was written by Zac , posted on Thursday August 30 2012at 07:08 pm , filed under Linux, Microsoft/Windows, Security, Vulnerabilities and tagged , , , , , , , , , , , , , , , , , , , . Bookmark the permalink . Post a comment below or leave a trackback: Trackback URL.

Leave a Reply

You must be logged in to post a comment.