Oracle Fixes Critical Java Flaws, Repairs Tool


Oracle has issued a security update for Java Standard Edition, repairing 40 Java SE vulnerabilities in the browser and server versions of the platform.

The updates, issued Tuesday, repair vulnerabilities in the Java Runtime Environment for the endpoint, repairing 34 flaws, including some vulnerabilities that were given critical rating, obtaining a score of 10 under the Common Vulnerability Scoring System. Repairs also impact server JRE deployments.

In its June 2013 Critical Patch Update, Oracle said the update is cumulative, containing all fixes from previous security updates and alerts. The update includes fixes to 37 flaws that can be exploited remotely without authentication, Oracle said.

[Related: 5 Significant Java Security Improvements That Foil Attacks]

In addition, Java included a repair to the Javadoc Tool used to generate API documentation in HTML format. The fix blocks a coding error that makes a right frame vulnerable to code injection when hosted on a web server, Oracle said. "Sites hosting such pages should re-generate the API documentation using the latest Javadoc tool and replace the current pages with the re-generated Javadoc output," the company said.

In a blog post outlining the security update, Eric Maurice, director of security assurance at Oracle urged users to update to the latest version. The majority of the security fixes are remotely exploitable and cybercriminals could create exploits targeting them, he wrote.

"Oracle recommends that this Critical Patch Update be applied as soon as possible because it includes fixes for a number of severe vulnerabilities," Maurice wrote. "Note that the vulnerabilities fixed in this Critical Patch Update affect various components and, as a result, may not affect the security posture of all Java users in the same way."

Java has become the most widely exploited software platform on the Internet due to its huge install base, according to security researchers. Exploits targeting Java flaws have been incorporated into automated attack toolkits. Oracle has been busy introducing restrictions into the software, including a stronger certificate validation mechanism to make it more difficult for attackers to exploit.

While security researchers praise the security improvements, they say many users fail to update to the latest version, enabling attackers to continue to target outdated vulnerabilities. A recent study conducted by security firm Websense found that only 5.5 percent of Java-enabled browsers are running the latest Java plugins. Many of the Java components used in the browsers were more than six months old, Websense said.

Amol Sarwate, director of vulnerability labs at Qualys Inc., said attackers have a variety of ways to target the latest vulnerabilities. In his analysis of the security update, he warned that the flaws enable an attacker to take complete control of a system. "An attacker can achieve this by using a variety of drive-by techniques letting a Java applet run arbitrary code outside of the Java sandbox," Sarwate wrote.