Oracle Issues Java Update Addressing Five More Flaws


Oracle has addressed five additional vulnerabilities in Java 7, issuing a security update Tuesday that follows a rushed Java release earlier this month.

The security update, Java 7 Update 15, includes four fixes that address client-side vulnerabilities that could be exploited through Java Web Start applications on desktops and Java applets in Internet browsers, according to Eric Maurice, director of software assurance at Oracle. Three of the flaws received the highest rating in the common vulnerability scoring system.

"Due to the severity of the vulnerabilities fixed in this Critical Patch Update, Oracle recommends that these fixes be applied as soon as possible," Maurice said in a blog post about the update.

[Related: Data Breach Threat Intelligence By The Numbers]

The Java update's fifth fix impacts server deployment of the Java Secure Socket Extension, addressing an issue with SSL/TLS implementations that was disclosed by security researchers.

Maurice said in the blog that Oracle is going to continue to accelerate the release of Java fixes to "help address the security worthiness of the Java Runtime Environment in desktop browsers." The next security update for Java SE is scheduled for April 16.

Java has faced a hailstorm of recent issues with recent zero-day vulnerabilities surfacing in widespread attacks. Apple and Facebook recently disclosed attacks on some employee laptops, targeting a recently patched Java zero-day vulnerability. Both firms said the attacks did not expose customer data.

Meanwhile, The New York Times published a report documenting a targeted attack using a Java zero-day flaw to gain access to employee devices and ultimately conduct surveillance on specific journalists.

Experts said that although a zero-day exploit was used in the attacks on Apple and Facebook employees, it could very likely be part of a broader attack. Employees from both firms had visited the iPhoneDevSDK developer website, where attackers had compromised the site and set up an attack platform to exploit anyone who visited the site's forum. Representatives from the site acknowledged late Tuesday that an administrator account was compromised and used to inject malicious JavaScript into the site.

H.D. Moore, chief security officer of vulnerability management vendor Rapid7 and chief architect of the popular Metasploit penetration testing tool, told CRN that the attack was not sophisticated and very likely part of a widespread campaign compromising websites to attack as many people as possible.

Zero-day vulnerabilities are bought, sold and traded among cybercriminals and even added to automated attack toolkits designed to conduct broad attacks infecting as many people as possible, Moore said.

PUBLISHED FEB. 20, 2013