Oracle to re-release Java SE patch with extra helping of fixes

Oracle didn't have time to fix all the Java bugs when it released its out of band patch earlier this month, so now there's a redux on the way.
Written by Liam Tung, Contributing Writer

Thought you'd sorted the problems with Java SE already this month? Think again — a new patch is on the way.

Oracle may have released a fix for 50 Java SE vulnerabilities in its out of band update at the start of February, but administrators will need to patch the software again: the company has announced an updated patch will shortly be made available, bringing a "small number" of fixes that Oracle could not include in time for the first patch's release.

The original Critical Patch Update (CPU) for Java SE was due to be released on 19 February, but Oracle brought it forward to close a zero-day flaw affecting the Java Runtime Environment in desktop browsers that was already being exploited by attackers.

"As a result of the accelerated release of the Critical Patch Update, Oracle did not include a small number of fixes initially intended for inclusion in the February 2013 Critical Patch Update for Java SE," Oracle's director of software security assurance, Eric Maurice, announced on the company's blog on Friday. 

"This updated February 2013 Critical Patch Update will be published on February 19th and will include the fixes that couldn't be released on February 1st."

Maurice did not say how many fixes it missed in the first release. However, he noted the updated patch will be cumulative, meaning that it will also include all the fixes in the first release.

Two days ahead of Oracle's original patch update, Apple used its anti-malware system Xprotect to block web plugins versions of Java 6 and 7 in Safari, which caused some problems for Java-based enterprise applications.

It's unclear if the 19 February patch will also include fixes for Java 6, which Apple still maintains.

Editorial standards