Information Security News
mailing list archives
New security protection, fixes for 39 exploitable bugs coming to Java
From: InfoSec News <alerts () infosecnews org>
Date: Tue, 16 Apr 2013 01:09:31 -0500 (CDT)
By Dan Goodin
Apr 15 2013
Oracle plans to release an update for the widely exploited Java browser
plugin. The update fixes 39 critical vulnerabilities and introduces changes
designed to make it harder to carry out drive-by attacks on end-user
The update scheduled for Tuesday comes as the security of Java is reaching
near-crisis levels. Throughout the past year, a series of attacks hosted on
popular websites has been used to surreptitiously install malware on unwitting
users' machines. The security flaws have been used to infect employees of
Facebook and Apple in targeted attacks intended to penetrate those companies.
The vulnerabilities have also been exploited to hijack computers of home and
business users. More than once, attackers have exploited one previously
undocumented bug within days or weeks of patching a previous "zero-day," as
such vulnerabilities are known, creating a string of attacks on the latest
version of the widely used plugin.
In all, Java 7 Update 21 will fix at least 42 security bugs, Oracle said in a
pre-release announcement. The post went on to say that "39 of those
vulnerabilities may be remotely exploitable without authentication, i.e., may
be exploited over a network without the need for a username and password." The
advisory didn't specify or describe the holes that will be patched. Security
Exploration, a Poland-based security company that has discovered dozens of
"security issues" in Java, has a running list of them here.
In addition to the bug fixes, Oracle developers plan to roll out changes to
Java that are intended to help end users make better decisions about when (and
when not) to allow Java code to be executed in their browsers. Under the
update, Java will display a variety of messages and dialog boxes, such as the
one shown above, when it encounters websites that host Java applets. In some
cases, the code will be executed only after an end user clicks an "OK" button.
Visit the InfoSec News Security Bookstore
Best Selling Security Books and More!
- New security protection, fixes for 39 exploitable bugs coming to Java InfoSec News (Apr 16)