Oracle patches multiple Java zero-day holes, increases default security

Oracle patches multiple Java zero-day holes, increases default security

Summary: Oracle has delivered on its promise to quickly make available a patch for the zero-day vulnerability discovered last week, but its patch doesn't just close off that hole, it closes off another that may have been lurking around for much longer.


Last week, a researcher going by the name "kafeine" spotted a number of sites that were abusing a zero-day vulnerability in Java 7 Update 10. In the wild, the exploitation was confirmed by several others and was assigned a vulnerability identifier of CVE-2013-0422.

The vulnerability potentially put over 850 million PCs at risk, and was serious enough to warrant separate warnings from the US government, Apple, and Mozilla, each of which either took action themselves to disable Java plug-ins, or advise users not to use the software.

Today, Oracle released advice on the vulnerability, with Oracle Software Security Assurance Director Eric Maurice writing on one of Oracle's security blogs that the company's newest patch to Java 7 Update 11 mitigates CVE-2013-0422, but also CVE-2012-3174.

According to Oracle, the latter, "easily-exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols," and that a "successful attack of this vulnerability can result in unauthorised Operating System takeover, including arbitrary code execution."

Like CVE-2013-0422, it also affects Java 7 Update 10 and earlier. Similarly, it also received the maximum Common Vulnerability Scoring System (CVSS) score of 10.

While there appears to be no other details available for CVE-2012-3174, the Mitre Common Vulnerability and Exposures database shows that the identifier was assigned on June 6 last year. CVE identifiers can be assigned and reserved prior to a vulnerability being known, but are generally used within a short time of reservation. For comparison, CVE-2013-0422 was assigned on December 7 last year, roughly a month before it was first discovered by researchers.

Java 7 Update 11 also brings about one other change to beef up the security that already existed in Java. With the newest patch, the default Java Security Level will be changed from medium to high. This will result in the user always being prompted to run a Java applet or Web Start application if it is unsigned.

Users who are still running Java 7 Update 10 are advised by Oracle to immediately update to Java 7 Update 11, or otherwise follow the advice of uninstalling the software if it is not required. ZDNet has prepared a guide for users who wish todisable Java in their browser on Windows and Macs.

For those that need the software, Java's in-built updater should allow users to update, but further patch notes and resources for administrators using Java's development kit are available from Oracle's website.

Topics: Security, Apple, Government US, Malware, Oracle

Michael Lee

About Michael Lee

A Sydney, Australia-based journalist, Michael Lee covers a gamut of news in the technology space including information security, state Government initiatives, and local startups.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Cool

    No company is 100% secure.

    No product is 100% bug- or problem-free.

    How a company addresses such problems interests me far more than any marketed claptrap to massage the rubes with.
    • HypnoToad72 you are 100% correct

      100% of the so called correct thing to do that were posted on Zdnet were half assed and only half correct........end of story..........and the so called correct ways to solve the problem that Java supplied were half assed in that they left out to manny actual steps.......if a person didn't know how to read between the lines you'd never get it done.........the average user was screwed..........thank goodness the problem appears to be fixed and now will come drown through regular update channels.

      One thing you can learn from comming to Zdnet is that most of the posters are fullof S***

      Enough said and end of story
      Over and Out
  • Cool

    No company is 100% secure.

    No product is 100% bug- or problem-free.

    How a company addresses such problems interests me far more than any marketed claptrap to massage the rubes with.
  • What do you think?

    Does the IT community around the WORLD have to KISS Oracle butt for them to keep their software up tp date?.....another example of a greedy IT company failing to do waht is many Billions does Ellison have and he can't do the right thing in advance..................
    Over and Out
  • or as per Forbes > kill the program in your browser for GOOD
    • better yet , use android

      and get rid of java and .nyet
      The Linux Geek
  • a solution?

    There’s an easy way to disable Java immediately using Group Policy or your own management tool. We have a blog and video to show you exactly how to do it:
    Blair Nicole