Java Update Patches Dozens of Critical Flaws
CREDIT: Peter Baxter/Shutterstock.com
Oracle released a large security update this week that patched 42 security holes in its ubiquitous Java software environment, and also included new security features to alert users to the risks of some Java code.
Thirty-nine of the patched Java flaws could have let attackers remotely exploit a machine and bypass authentication, Oracle said in its security bulletin.
Java bug-hunter Adam Gowdiak of Polish security firm Security Explorations told TechWeekEurope that one flaw had been known of since 2005.
The much-maligned Java software environment, designed to let applications run on any platform, has been heavily criticized for a seemingly never-ending series of security flaws that have put Java's hundreds of millions of personal-computer users at risk.
Oracle's new customer warnings are aimed at users of Java Web browser plug-ins, educating users about risks associated with older versions of Java and with uncertified Web-based apps.
As well as patching Java 7, the current version of the software, Oracle is patching Java 6, an older version still used by about half of Java users, according to software-statistics website StatOwl.
In February, after another massive Java security update, Oracle said it would end support for Java 6. A month later, it pushed out another Java 6 update to address an actively exploited flaw.
This week's patch also included 128 security patches for Oracle's enterprise products, including highly critical flaws in its Database Server and Fusion Middleware.
Although Oracle estimates that Java is installed on 850 million Windows, Mac and Linux computers worldwide, most people rarely use it, making the software more of a liability than it's really worth.
The recent network breaches of Apple, Facebook, Microsoft and Twitter were due to Java-based malware that was hidden on websites frequented by software developers. The Flashback Trojan that infected 600,000 Macs last year also got in through a Java hole.
We suggest all users disable Java browser plug-ins unless they need Java browser plug-ins for work or for online games. If you do need to use Java online, restrict it to one browser and use that browser only for Java-based Web applications.
Disabling Java browser plug-ins won't affect stand-alone applications that require Java, such as Adobe's Creative Suite and the building-block game Minecraft.