Oracle issues major Java security fix; recommends immediate action

Summary: Amid some controversy, Oracle issues a patch to fix up some nagging Java security vulnerabilities.

By Rachel King for Between the Lines | August 30, 2012 -- 20:48 GMT (13:48 PDT)

Oracle has just released an update that is intended to patch up three "distinct but related vulnerabilities" as well as another serious security issue regarding Java running on desktop browsers.

More specifically, the security holes could be exploited over a network without needing a username and password if an unsuspecting user is running an affected release in a browser and then visits a malicious web page that leverages this vulnerability.

The possible outcome is that the vulnerabilities could be used to exploit personal data and accessibility of the user's system overall.

Oracle software security assurance director Eric Maurice explained in a blog post on Thursday that customers should apply the updates as soon as possible because many of the technical details related to the vulnerabilities are already widely available online.

If successfully exploited, these vulnerabilities can provide a malicious attacker the ability to plant discretionary binaries onto the compromised system, e.g. the vulnerabilities can be exploited to install malware, including Trojans, onto the targeted system. Note that this malware may in some instances be detected by current antivirus signatures upon its installation.

But Oracle asserts that the security vulnerabilities are not applicable to standalone Java desktop applications, Java running on servers, or any Oracle server based software.

However, there is a bit of a firestorm over the delay and quietness of Oracle's response to these issues. Some media outlets are pointing towards Polish security firm Security Explorations, which claimed that Oracle knew about these vulnerabilities for months.

To some degree, Oracle acknowledges this was Maurice pointed out that Oracle has received external reports that these vulnerabilities are already being actively exploited in the wild.

Despite brewing criticism towards the Java owner, the patches are available now, so don't delay in applying them if your system is at risk.

Topics: Security, Oracle

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

18 comments

Log in or register to join the discussion

Nobody Uses Java Applets Any More

As far as I’m aware, nobody runs Java in their browser any more, and that’s the only reason this is not such a big deal.

ldo17
30 August, 2012 21:05

Reply Vote
- Not sure if Serious!
  
  Yes, people do still run Java applets in their browsers. Many many websites still employ java as a means to view one thing or another and many of these sites server specific verticals so there are no useful alternatives to them. Note, I work for an MSP for small businesses.
  
  Bryansix
  30 August, 2012 21:10
  
  Reply 6 Votes
- jave - yes
  
  I need to use Java. Your comment is really rather useless.
  
  Bradish@...
  31 August, 2012 03:32
  
  Reply Vote
- Most Internet banking sites use Java for authentication
  
  ...and the alternative here where I live, where you pay virtually all your bills in the bank, would be either long lines at their cashiers and even ATMs at peak times or long waits on ever-congested phone lines. I have also stumbled on many sites that use Java for all sorts of things (including, for example, cloud-based antivirus scans) and there are also non-browser applications that require it, most notably LibreOffice. In the mobile world, Java rules. So, both my PC and my phone are already patched up.
  
  goyta
  31 August, 2012 21:38
  
  Reply Vote
  - Re: Most Internet banking sites use Java for authentication
    
    Sit down for a moment and consider the irony of what you just said.
    
    ldo17
    1 September, 2012 01:43
    
    Reply 1 Vote
- Doesn't matter, if a vulnerable version is installed....
  
  ...then a malicious link can take advantage of it. And there are plenty of sites that use java, from government to school sites and games. That's why it is installed on approximately 850 MILLION computers. simply by HAVING it installed (the web browser add-on) means you could be at risk.
  
  RocketMan McFodder
  29 January, 2013 22:21
  
  Reply Vote
Opted Out

I finally got disgusted with running on the perpetual Java update treadmill and simply removed it from each of my systems where it was found. Now I will wait and see if actual use of the systems is impaired in any way. Right now I'm anticipating little, if any, downside.

zdnet@...
30 August, 2012 21:25

Reply Vote
- Of course Oracle new of this exploit months ago
  
  Even I knew of these exploits months ago, which is why -- like the poster before me -- I opted out of Java 6 months ago.
  
  I thought I'd run into all kinds of problems on web sites but I haven't. Not even once in six months.
  
  CasualAdventurer
  31 August, 2012 14:11
  
  Reply Vote
- "Perpetual update treadmill"
  
  Better not use Chrome, it gets updates every six weeks. Oh, that means Firefox is out of the question too. Can't use Windows, that has updates at least once a month, probably more. That counts out IE, too, when it comes to browsers. In fact, you can't use any browsers... they're all constantly wanting you to patch.
  
  Can't use office programs, they get patches a lot too.
  
  Can't use IDEs, they get patched a decent amount.
  
  Actually, just stay away from computers. Everything seems to be getting patches these days, constantly.
  
  You might be lucky and stay with... no, OSX looks like it's going to be moving to monthly patches as well (thanks to a yearly release).
  
  Michael Alan Goff
  31 August, 2012 15:10
  
  Reply 1 Vote
Ver 1.6

What if those vulnerabilites were really an intended "feature" which was unlocked or discovered by chinese first? can I sue Oracle or can I at least stay for a week in that private island of its CEO?

I have version Java 1.6 but I already uninstalled it around 2009 and my browser is only using JavaScript since then. Didn't know it is now Java 7 release 7.

Martmarty
30 August, 2012 21:37

Reply Vote
Disable it

Time to disable Java in the browser me thinks, don't think it should be too much of an issue

kjetil_h
30 August, 2012 23:35

Reply 2 Votes
They've now removed update selections.

You can no longer control updates with this most recent update.
Maybe it is time to remove Java from the computer.

JDLjr
31 August, 2012 22:08

Reply 1 Vote
On the side of safety

I disabled Java add-on in Firefox. When this mess is settled maybe Oracle can convince me that there is redeeming value in using Java in my browser.

webtech_z
31 August, 2012 22:09

Reply 2 Votes
java

Rachel any new news here? I read this morning 8/31/21 that Polish security researcher
Adam Gowdiak who allegedly reported this to Oracle to begin with has stated that he discovered a work around to the latest Oracle Java patches as recently as today or yesterday.
I can't remember the link. If I do I will post it. I have not re enabled Java. I was waiting for ZD net, Cnet, PCW. and most of the other mainstream sites to give the all clear. not so sure about you all now? Maybe I should check over at Wired Or The Register?
Ars Technica was one of the first to give an all clear yesterday prematurely or not? Gowdiac further said he will not publish the code for this latest find until Oracle patches it .
Entirely possible others could figure out what he did if he did publish the work around as the code was published for the earlier vulnerabilities . So I will keep Java off but JavaScript on as it is not affected. I haven't noticed missing anything yet ,if that's the case I`ll leave it off. I've never allowed any automatic updates especially Flash and Java I do most updates manually except windows ,and antivirus . So far life without Java is one less thing to worry about.
I think Firefox and Chrome are automatic recently even then I usually beat them to it.

preferred user
1 September, 2012 02:57

Reply Vote
Latest on java patch fail?

"Here we go again: Critical flaw found in just-patched Java

Emergency fix rushed out half-baked"

This from our friends at The register
http://www.theregister.co.uk/2012/08/31/critical_flaw_found_in_patched_java/

preferred user
1 September, 2012 03:26

Reply 2 Votes
word on the street...

is that java 7 update 7 has a security flaw as well. security-explorations DOT com reported a complete sandbox escape in java... oh oracle! at this point one has to ask how important is java to them and whether or not they can continue without it. java is a complete joke at this point in time.

archangel127
1 September, 2012 04:56

Reply 2 Votes
- java
  
  Keeping my java off just got a fake Microsoft "change of service terms e mail today "
  deleted it anyway looked like a copy of a legitimate Microsoft e mail . seems that
  fake Amazon and Pay Pal e mails (and others) with Java exploits are circulating also. Probably a lot of exploit tool kits sold and being used.
  
  preferred user
  6 September, 2012 00:26
  
  Reply Vote
edit

When The Register says it's fixed maybe I will believe it. (they seem to be well informed there.) I might keep it off anyway one less
thing to deal with.

preferred user
6 September, 2012 00:28

Reply Vote