Forget the Super Bowl. Critical Java patch released; update now

Forget the Super Bowl. Critical Java patch released; update now

Summary: Oracle has released a critical Java update that fixes more than 50 security vulnerabilities. Considering the ruckus over the past fortnight, along with repeated warnings from the U.S. Dept. of Homeland Security, you should update Java as soon as possible.

TOPICS: Security

What's more important: the Ravens' kicking ten bells out of the 49ers, or patching a series of serious security vulnerabilities that could prevent your computer from being attacked by remotely executed code?

I know—stupid question, right?—but football aside for a moment, Oracle has issued an update to its latest Java software that plugs more than 50 security vulnerabilities, including one particularly nasty flaw that was being actively exploited in the wild.

Read this

How to disable Java in your browser on Windows, Mac

How to disable Java in your browser on Windows, Mac

Amid a serious security flaw in the latest version of Java 7, where even the U.S. Department of Homeland Security has warned users to disable the plug-in, here's how you do it.

The latest patch, Java 7 Update 13—critical updates are issued in consecutive odd numbers—was due to be released on February 19, but was pushed forward by two weeks.

In an advisory, Oracle said, "it felt that, releasing this Critical Patch Update two weeks ahead of our intended schedule, instead of releasing a one-off fix through a Security Alert, would be more effective in helping preserve the security posture of Java customers."

The enterprise software giant said that 44 of the vulnerabilities patched in the latest 'Update 13' only affect Java in Web browsers on desktops, along with one vulnerability that affected the client deployment installation process. Also patched includes three vulnerabilities that apply to client and server deployments, while the remaining two vulnerabilities only affected server deployments of the Java Secure Socket Extension (JSSE).

Oracle has also switched the security settings to "high" in the Java settings by default, which now requires users to expressly permit the execution of unsigned Java applet. This means users accessing malicious Web sites will be notified before a Java applet is run. 

The U.S. Department of Homeland Security first warned in early January of a serious flaw in Java, and said users should disable the Web plug-in immediately—a rare move for the government department. 

Then, Oracle quickly issued Java 7 Update 11. But security experts warned that it still contained a vulnerability that could allow hackers to remotely execute code on a computer. Homeland Security then reissued its warning that the updated Java software still posed risks and warned that "unless it was absolutely necessary [...] disable [Java]."

Apple also blocked Java on OS X machines when new unpatched vulnerabilities have been detected. The Cupertino, Calif.-based technology giant blocked the bug-laden Java version using the Mac in-built Xprotect anti-malware system.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Do you want to install the toolbar?

    No. Do you want to uninstall Java? Yes.
    • Petition to stop Ask Toolbar

      Lets all sign this petition to stop Ask Toolbar bundling with Java:
      Saeid Nourian
      • Here Here!

        Yes, please.
      • really

        so you actually took out time to do a petition telling Oracle to give up making money by adding the ask tool bar. Are you really that stupid that you can't uncheck the box?
        • they need to be more administrator friendly

          The key is not what can one individual do and “are you so dumb you can’t un check a box”

          its that we as administrators have hundreds and thousands if not more users that we need to administrate as a single unit effectively. And time and time again they have put out substandard product with little documentation for effective use and management

          If oracle\Sun wants to be “the guy” for runtime environment then they have to step up and make effective SAFE product that can be managed easily and effectively without the bloat in it
        • Stick your nose in the air.

          "Are you really that stupid that you can't uncheck the box?"

          Did calling him stupid -- without asking a single clarifying question -- make you feel superior?
        • not quite that simple

          These practices is not simply "oh uncheck me and I won't hassle you". It gets completely out of hand if nobody complains. First its that, then they start hiding additional toolbars in later screens. Then they start hiding it within long bodys of text. Then they hide the text so that if you don't scroll through it you can't find it.

          Thats how ugly EULA has become and nobody reads through all of that. So if you let this go, thats where it will head. Believe me, I have seen some seriously ugly "install this toolbar" type of thing attempts.
        • Oracle misleads

          Even expert Java programmer forget to check it off sometimes but the real issue here is misleading the non-expert customers. As a Java product developer if I ask my customers to install Java and they end up with crapware and a messed up browser, they will blame me and stop using all Java based products.

          If you read the installer instruction you will see that it says Oracle "highly recommends" that you leave the check on. Many people think they should trust Oracle and leave the check on.

          Obviously if everyone would remember to check it off, Ask Toolbar would be out of business long time ago. They only reason why they survived so far is by tricking people. It's a scam and scams should not be endored by anyone.
          Saeid Nourian
        • Why not make it OPTIONAL?

          Some of us have to support others and constantly remind to uncheck the option.
  • Still not sure about OPEN JDK Java 7

    I asked this in anothre post but no one answered it. I use Linux and the OpenJDK Java7 runtime software and don'y know if it suffers from the same problems as Oracle Java 7.... does anyone know? Certainly don't get the ASK Tool bar loaded on install.

    What about Java 6 can we use that?
    • Java6? Not safe either...

      The patch also lists the following versions of Java as vulnerable (apart from 7):

      6 Update 38 and before
      5.0 Update 38 and before
      1.4.2_40 and before
    • Linux/OpenJDK -

      UBUNTU says that the UBUBTU JDK is NOT susceptible to the same explots as Oracle JAVA.
  • Java Petition

    Sign this Petition to demand that Oracle stop bundling Ask Toolbar with Java:
    Saeid Nourian
  • Too Late.

    I un-installed JAVA from all of my computers two weeks ago. Haven't missed it yet.
    • 5 years

      We did it 5 years ago, and we are still in business so it can't be too critical.
  • Too late...

    Already removed Java from all my machines, for sure. I can cook better french cuisine than Oracle's cook code...
  • Oracle Java plugin gone

    Removed from all client machines and not coming back without a major need for it appearing. Also, it's difficult to distinguish the Ask toolbar (perpetually poked at Oracle Java installs and updates) from any malware.
  • I agree

    Disabled Java, and have seen no need for it yet, in the browser. Of course I also have Flash blocked and rarely use that, either. I can unblock Flash on a per-use basis though. Maybe if someone came up with an application that told you where on a page, or why Java needed to run in your browser and unblock it. NoScript for Firefox (what I use to block Flash, and most everything) comes to mind. IE users, forget it.
    • blocking java in browsers

      What about the AOL browser? A friend has used that for years. Is it really IE?
  • Mac OS X auto software update

    Every one in a while I click "Software Update" on my Mac OS X 10.6.8. just to 'be sure.' Today, it started downloading the latest software update for Java. I had already disabled Java out of caution some time ago. How is it that Mac can automatically start downloading the update without asking me? considering the situation.