Oracle issues major Java security fix; recommends immediate action

Summary:Amid some controversy, Oracle issues a patch to fix up some nagging Java security vulnerabilities.

Oracle has just released an update that is intended to patch up three "distinct but related vulnerabilities" as well as another serious security issue regarding Java running on desktop browsers.

More specifically, the security holes could be exploited over a network without needing a username and password if an unsuspecting user is running an affected release in a browser and then visits a malicious web page that leverages this vulnerability.

The possible outcome is that the vulnerabilities could be used to exploit personal data and accessibility of the user's system overall.

Oracle software security assurance director Eric Maurice explained in a blog post on Thursday that customers should apply the updates as soon as possible because many of the technical details related to the vulnerabilities are already widely available online.

If successfully exploited, these vulnerabilities can provide a malicious attacker the ability to plant discretionary binaries onto the compromised system, e.g. the vulnerabilities can be exploited to install malware, including Trojans, onto the targeted system.  Note that this malware may in some instances be detected by current antivirus signatures upon its installation.

But Oracle asserts that the security vulnerabilities are not applicable to standalone Java desktop applications, Java running on servers, or any Oracle server based software.

However, there is a bit of a firestorm over the delay and quietness of Oracle's response to these issues. Some media outlets are pointing towards Polish security firm Security Explorations, which claimed that Oracle knew about these vulnerabilities for months.

To some degree, Oracle acknowledges this was Maurice pointed out that Oracle has received external reports that these vulnerabilities are already being actively exploited in the wild.

Despite brewing criticism towards the Java owner, the patches are available now, so don't delay in applying them if your system is at risk.

Topics: Security, Oracle

About

Rachel King is a staff writer for CBS Interactive based in San Francisco, covering business and enterprise technology for ZDNet, CNET and SmartPlanet. She has previously worked for The Business Insider, FastCompany.com, CNN's San Francisco bureau and the U.S. Department of State. Rachel has also written for MainStreet.com, Irish Americ... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.