Oracle has updated Java 7 again following the frequently emerging security holes.
Oracle was due to release its Critical Patch Update February 2013" (CPU) for Java on 19 February 2013 but as one of the vulnerabilities got exploited, the company hurried with its pathces. Oracle has released security updates on emergency, which fixes 50 holes. Yesterday, we reported that Apple had also blocked Java. So, it seems Apple had a clue about the emergency patch being anticipated. According to an official posting from Oracle, “The original Critical Patch Update for Java SE – February 2013 was scheduled to be released on February 19th, but Oracle decided to accelerate the release of this Critical Patch Update because active exploitation 'in the wild' of one of the vulnerabilities affecting the Java Runtime Environment (JRE) in desktop browsers, was addressed with this Critical Patch Update.”
The security patch seems important as out of the 50 vulnerabilities, 26 holes are rated at the highest CVSS level (10.0) and two are rated at 9.3. Oracle is strongly recommending its users to update to the latest version as soon as possible. The Java Runtime Environment (JRE) update is available for Windows, Mac OS X, Linux and Solaris at the site. Oracle has also introduced updated versions of Java Development Kit for Java 6 and 7 along with updates for Java 6.
Well, the experts are yet to comment on the new update. Previously, after Oracle released the update 11 of Java 7, 'Security Explorations' researcher, Adam Gowdiak criticised Oracle for just stating theories and not acting on the issue. Java security lead explained that one of the changes include the ability to select a certain security level to control for executing unsigned Java Applets to Low, Medium, High or Very High. Gowdiak rammed into this protective measure by stating that he already developed a proof of concept applet which can run on Windows systems with any of the Java applet security levels set.
So, is Java actually safe now or there's more to it than meets the eye? Wait and watch!
Oracle was due to release its Critical Patch Update February 2013" (CPU) for Java on 19 February 2013 but as one of the vulnerabilities got exploited, the company hurried with its pathces. Oracle has released security updates on emergency, which fixes 50 holes. Yesterday, we reported that Apple had also blocked Java. So, it seems Apple had a clue about the emergency patch being anticipated. According to an official posting from Oracle, “The original Critical Patch Update for Java SE – February 2013 was scheduled to be released on February 19th, but Oracle decided to accelerate the release of this Critical Patch Update because active exploitation 'in the wild' of one of the vulnerabilities affecting the Java Runtime Environment (JRE) in desktop browsers, was addressed with this Critical Patch Update.”
The security patch seems important as out of the 50 vulnerabilities, 26 holes are rated at the highest CVSS level (10.0) and two are rated at 9.3. Oracle is strongly recommending its users to update to the latest version as soon as possible. The Java Runtime Environment (JRE) update is available for Windows, Mac OS X, Linux and Solaris at the site. Oracle has also introduced updated versions of Java Development Kit for Java 6 and 7 along with updates for Java 6.
Well, the experts are yet to comment on the new update. Previously, after Oracle released the update 11 of Java 7, 'Security Explorations' researcher, Adam Gowdiak criticised Oracle for just stating theories and not acting on the issue. Java security lead explained that one of the changes include the ability to select a certain security level to control for executing unsigned Java Applets to Low, Medium, High or Very High. Gowdiak rammed into this protective measure by stating that he already developed a proof of concept applet which can run on Windows systems with any of the Java applet security levels set.
So, is Java actually safe now or there's more to it than meets the eye? Wait and watch!
No comments:
Post a Comment