Forget the Super Bowl. Critical Java patch released; update now

Summary:Oracle has released a critical Java update that fixes more than 50 security vulnerabilities. Considering the ruckus over the past fortnight, along with repeated warnings from the U.S. Dept. of Homeland Security, you should update Java as soon as possible.

homeland-javacode-768x250

What's more important: the Ravens' kicking ten bells out of the 49ers, or patching a series of serious security vulnerabilities that could prevent your computer from being attacked by remotely executed code?

I know—stupid question, right?—but football aside for a moment, Oracle has issued an update to its latest Java software that plugs more than 50 security vulnerabilities, including one particularly nasty flaw that was being actively exploited in the wild.

Read this

How to disable Java in your browser on Windows, Mac

Amid a serious security flaw in the latest version of Java 7, where even the U.S. Department of Homeland Security has warned users to disable the plug-in, here's how you do it.

The latest patch, Java 7 Update 13—critical updates are issued in consecutive odd numbers—was due to be released on February 19, but was pushed forward by two weeks.

In an advisory, Oracle said, "it felt that, releasing this Critical Patch Update two weeks ahead of our intended schedule, instead of releasing a one-off fix through a Security Alert, would be more effective in helping preserve the security posture of Java customers."

The enterprise software giant said that 44 of the vulnerabilities patched in the latest 'Update 13' only affect Java in Web browsers on desktops, along with one vulnerability that affected the client deployment installation process. Also patched includes three vulnerabilities that apply to client and server deployments, while the remaining two vulnerabilities only affected server deployments of the Java Secure Socket Extension (JSSE).

Oracle has also switched the security settings to "high" in the Java settings by default, which now requires users to expressly permit the execution of unsigned Java applet. This means users accessing malicious Web sites will be notified before a Java applet is run. 

The U.S. Department of Homeland Security first warned in early January of a serious flaw in Java, and said users should disable the Web plug-in immediately —a rare move for the government department. 

Then, Oracle quickly issued Java 7 Update 11. But security experts warned that it still contained a vulnerability that could allow hackers to remotely execute code on a computer. Homeland Security then reissued its warning that the updated Java software still posed risks and warned that "unless it was absolutely necessary [...] disable [Java]."

Apple also blocked Java on OS X machines when new unpatched vulnerabilities have been detected. The Cupertino, Calif.-based technology giant blocked the bug-laden Java version using the Mac in-built Xprotect anti-malware system.

Topics: Security

About

Zack Whittaker writes for ZDNet, CNET, and CBS News. He is based in New York City.

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.