Oracle has been under increasing pressure in recent months to finally fix the myriad of security flaws that have plagued Java. In an unexpected emergency out-of-band patch released Friday afternoon, Oracle has responded definitively to critics with a massive security patch fixing at least 50 different issues.
The February 2013 Critical Patch Update for Java SE was originally scheduled for February 19th, but given that at least one of the vulnerabilities is being actively exploited, Oracle decided to expedite the patch update.
Of the 50 fixes, 40 of them are specific to Java usage in web browsers, which has been the primary attack vector against Java.
“The popularity of the Java Runtime Environment in desktop browsers, and the fact that Java in browsers is OS-independent, makes Java an attractive target for malicious hackers,” Eric Maurice, manager for Oracle’s global technology business unit, stated.
Maurice stressed that Oracle is moving very rapidly to fix critical issues. At the end of last week, Oracle publicly posted an audio call with its Java security team, where the team lead admitted that Java needed to be fixed. The new Java February patch update is intended to be a key part of the fix.
Oracle issued a critical one-off patch two weeks ago to fix a flaw that was being actively exploited at the time. That patch in turn, missed at least one flaw that has been exploited over the last two weeks and is now part of the 50 flaw fix. It terms of the critical Java flaw that is currently being exploited in the wild, Maurice also admitted that Oracle already had a fix for the flaw in process and had to accelerate the patching process to get it out today.
“The size of this Critical Patch Update, as well as its early publication, demonstrate Oracle’s intention to accelerate the release of Java fixes, particularly to help address the security worthiness of the Java Runtime Environment (JRE) in desktop browsers,” Maurice said.
Looking at the contents of Oracle’s February Critical Patch Update for Java reveals that 49 of the 50 flaws being fixed are remotely exploitable without authentication. Oracle’s Risk Matrix for the flaws show that at least 35 of the flaws carry a CVSS score of 10.
The Common Vulnerability Scoring System (CVSS) is used by multiple IT vendors, among them Cisco and Oracle, to provide a common metric to determine the risks associated with a given vulnerability. A score of 10 is the highest possible and represents the most serious and immediate risk.
In addition to the 50 fixes, Maurice reminded users that Oracle has now also set Java security settings to high. The Java 7 update 10 release that came out in December of 2012 introduced a new security panel to Java that allows users to set different levels.
“As a result, unsuspecting users visiting malicious web sites will be notified before an applet is run and will gain the ability to deny the execution of the potentially malicious applet,” Maurice explained. “In addition, Oracle has recently introduced the ability for users to easily disable Java in their browsers through the Java Control Panel on Windows.”
Oracle has already scheduled the next three regularly planned set of security updates for Java to be June 18th, October 15th, and January 14th of 2014.