Oracle updates Java 7 after Apple’s browser plugin block

  • Liam Tung (CSO Online)
  • 04 February, 2013 10:13

Oracle on Friday released its February critical patch update for Java 7 two weeks ahead of schedule and days after Apple blocked it for the second time in a month.

The critical Java SE 7 Update 13 fixes 50 vulnerabilities, including one affecting the Java Runtime Environment (JRE) in desktop browsers that was being exploited by hackers.

The attacks prompted Oracle to “accelerate” its usual testing procedures and release the full monthly update two weeks ahead of the February 19 schedule. 

“Oracle felt that, releasing this Critical Patch Update two weeks ahead of our intended schedule, instead of releasing a one-off fix through a Security Alert, would be more effective in helping preserve the security posture of Java customers,” Eric Maurice, Oracle’s director of software security assurance explained in a blog post on Friday.

The company noted that 49 of the flaws are vulnerable to remote exploits without authentication. Forty four affect Java in desktop browsers only and three affect Java in desktop browsers and servers.

The browser flaws can be exploited by untrusted Java applets and Java Web Start applications, while server side flaws can be exploited by supplying malicious data to APIs in vulnerable server components of the server.

In addition, one flaw impacts JRE desktop installation processes and two impact server deployments of Java Secure Sockets Extension.  

The release came days after Apple used its anti-malware feature Xprotect to block the latest version of Java 7 update 11 web plugin, marking the second time in had taken the measure in January.

The move by Apple appeared to have been to protect users from attacks against the vulnerabilities, however the lack of warning caught some businesses that use Mac and enterprise applications built on Java by surprise.

Oracle’s Maurice said the company will begin patch security flaws faster in future, noting that it was such a popular target for hackers because attacks on Java in browsers was OS-independent.

“The size of this Critical Patch Update, as well as its early publication, demonstrate Oracle’s intention to accelerate the release of Java fixes, particularly to help address the security worthiness of the Java Runtime Environment (JRE) in desktop browsers,” he said.

Follow @CSO_Australia and sign up to the CSO Australia newsletter.