Menu
Oracle fixes zero-day Java flaw and over 190 other vulnerabilities

Oracle fixes zero-day Java flaw and over 190 other vulnerabilities

Users should update Java as soon as possible because attackers are already taking advantage of at least one vulnerability

Illustration of security online

Illustration of security online

Go ahead and update Java -- or disable it if you don't remember the last time you actually used it on the Web: Oracle's latest patch, released Tuesday, fixes 25 vulnerabilities in the aging platform, including one that's already being exploited in attacks.

In addition to Java, Oracle also updated a wide range of other products, fixing a total of 193 vulnerabilities, 44 stemming from third-party components.

The patched products include Oracle Database, Oracle Fusion Middleware, Oracle Hyperion, Oracle Enterprise Manager, Oracle E-Business Suite, Oracle Supply Chain Suite, Oracle PeopleSoft Enterprise, Oracle Siebel CRM, Oracle Communications Applications, Oracle Java SE, Oracle Sun Systems Products Suite, Oracle Linux and Virtualization, and Oracle MySQL.

Oracle released Java 8 Update 51, Java 7 Update 85 and Java 6 Update 101. However, only the Java 8 update is publicly available, because general support for Java 7 and Java 6 ended some time ago. Only customers with extended support contracts continue to get access to security patches for those versions.

Out of the 25 vulnerabilities fixed in Java, 23 can be exploited remotely without authentication. Sixteen flaws affect only the client deployment and five affect both client and server deployments.

One fix is specific to the Mac platform and four fixes are for the Java Secure Socket Extension (JSSE), said Eric Maurice, director of software security assurance at Oracle, in a blog post.

The most high-risk vulnerability fixed in this Java update is known as CVE-2015-2590 and had zero-day status until this update. This means attackers were already exploiting it while no fix was available.

An exploit for this vulnerability was recently uncovered by researchers from Trend Micro in attacks that targeted at the very least the armed forces of an unnamed NATO country and a U.S. defense organization.

The attacks were launched by a cyberespionage group known as Pawn Storm or APT28 that is believed to have ties to Russia's intelligence services. The group has been active since 2007 and typically targets military, government and media organizations.

While Java is still widely used for Web-based applications in business environments, it's rarely seen on consumer-oriented websites today. Therefore, many users don't need the Java browser plug-in, which is the target of the majority of Java exploits.

Manually removing or disabling Java from every browser installed on a computer is possible, but the plug-in might get re-enabled with the next Java update. And uninstalling the Java runtime completely from the system is often not viable, because there are still popular desktop applications that need it.

Fortunately, Oracle added an option in the Java control panel that serves as a central place to disable support for Java-based content across all browsers.

For companies that do need Java support on the Web, defending against zero-day exploits can be a bit more complicated. However, there are options to significantly reduce the likelihood of attacks.

Internet Explorer has a feature that administrators can use to restrict which websites are allowed to load Java content, like only those hosting relevant business applications. And browsers like Mozilla Firefox and Google Chrome have a click-to-play option that can be used to prevent the automatic execution of Web-based Java content.


Follow Us

Join the newsletter!

Or
Error: Please check your email address.

Tags securityOraclepatch managementonline safetytrend microintrusionpatchesExploits / vulnerabilities

Featured

Slideshows

Bumper channel crowd kicks off first After Hours of 2018

Bumper channel crowd kicks off first After Hours of 2018

After Hours made a welcome return to the channel social calendar with a bumper crowd of partners, distributors and vendors descending on The Jefferson in Auckland to kick-start 2018. Photos by Gino Demeer.

Bumper channel crowd kicks off first After Hours of 2018
Looking back at the top 15 M&A deals in NZ during 2017

Looking back at the top 15 M&A deals in NZ during 2017

In 2017, merger and acquisitions fever reached new heights in New Zealand, with a host of big name deals dominating the headlines. Reseller News recaps the most important transactions of the Kiwi channel during the past 12 months.

Looking back at the top 15 M&A deals in NZ during 2017
Kiwi channel closes 2017 with After Hours

Kiwi channel closes 2017 with After Hours

The channel in New Zealand came together to celebrate the close of 2017, as the final After Hours played out in front of a bumper Auckland crowd.

Kiwi channel closes 2017 with After Hours
Show Comments