Oracle Issues Java Patch

Tuesday, February 5, 2013 @ 02:02 PM gHale


Oracle released a critical patch update for Java SE Friday, offering the patch ahead of schedule to stave off issues affecting the Java Runtime Environment in desktop browsers.

Initially scheduled for release February 19, Java decided to move ahead with this as soon as they could.

RELATED STORIES
Ransomware Encrypts Data
Ransomware Uses Java Zero Day
Java Zero Day Exploits Ready to Go
Adobe Fixes Acrobat, Reader, Flash

“The popularity of the Java Runtime Environment in desktop browsers and the fact that Java in browsers is OS-independent makes Java an attractive target for malicious hackers,” Oracle said.

Forty-four of the 50 vulnerabilities impact Java in Internet browsers. “In other words, these vulnerabilities can only be exploited on desktops through Java Web Start applications or Java applets,” Oracle said. “In addition, one vulnerability affects the installation process of client deployment of Java (i.e. installation of the Java Runtime Environment on desktops).”

Additionally, three of the vulnerabilities apply to client and server deployments of Java, in which these can suffer exploit on desktops through Java Web Start or browser applets or in servers by supplying malicious input to APIs in vulnerable components.

“In some instances, the exploitation scenario of this kind of bugs on servers is very improbable; for example, one of these vulnerabilities can only be exploited against a server in the unlikely scenario that the server was allowed to process image files from an untrusted source,” Oracle said.

Two vulnerabilities fixed in the update only apply to server-side deployment of the Java Secure Socket Extension, but most of the vulnerabilities addressed in the patch update affect Java and JavaFX client deployments, Oracle noted. “This reflects the fact the Java server environment is more secure than the Java Runtime Environment in browsers because servers operate in a more secure and controlled environment.”



Leave a Reply

You must be logged in to post a comment.