Oracle Patches Critical Flaw in Java

By Wolfgang Gruener
published

Oracle has reacted to the recent discovery of a critical security issue in Java.

 Java 7 Update 11 patches the vulnerability, as well as a second severe security problem. Oracle said that it "strongly recommends that all Java SE 7 users upgrade to this [new] release".

Oracle confirmed that the vulnerabilities "may be remotely exploitable without authentication". An attacker would not need for a username and password to exploit the issue, but an "unsuspecting user running an affected release in a browser will need to visit a malicious web page that leverages these vulnerabilities."

Oracle noted that users who reacted to the vulnerability by disabling Java, will have to still re-enable Java manually following the installation of the patch. Among others, the U.S. government had recommended users of Java 7 Update 10 and before to disable Java. However, at least one security researcher does not believe that Oracle has done enough to enable Java again.

"We don't dare to tell users that it's safe to enable Java again," Adam Gowdiak, a researcher with Poland's Security Explorations, told Reuters. According to Gowdiak, the update does not address several other vulnerabilities.

The issue as well an exploit were first discovered by @kafeine last Friday.

Contact Us for News Tips, Corrections and Feedback

Wolfgang Gruener
11 Comments Comment from the forums
  • tntom
    Well great! I must use Java for my work. I teach remotely over the internet for a large online education company. That is almost 600 teachers and around 100,000 students. They use Blackboard Collaborate. It is Java based and launches it's own window outside the browser. I can't imagine how many other platforms require Java on a daily basis but Oracle needs to make sure it is secure.
    Reply
  • electronian
    Reuters just reporting that the patch has left remaining vulnerability: http://www.reuters.com/article/2013/01/14/us-java-oracle-security-idUSBRE90D10P20130114
    Reply
  • godfather666
    What they also need to fix is to stop trying to install the Ask.com toolbar on my PC.
    Reply
  • Soda-88
    iknowhowtofixitA link to download would be great...Control Panel>Java (32-bit)>Update>Update now
    Reply
  • Cryio
    How bad was this exploit?

    Could it make any damage on a Windows 8 x64, Opera x64, Oracle x64 plug-in? Which was only used now and then?
    Reply
  • ko888
    Below the article's title just click on the word Oracle, it's hyper-linked to the Downloads page.

    2:50 PM - January 14, 2013 by Wolfgang Gruener - source: Oracle
    Reply
  • internetlad
    To everybody asking for a link

    http://lmgtfy.com/?q=latest+version+of+java
    Reply
  • d_kuhn
    I just disabled or uninstalled Java to avoid the issue... I'm curious to see how much trouble it causes (web pages not loading properly). So far (2 days) not one problem.
    Reply
  • A Bad Day
    There's nothing wrong with Java, but there is something wrong with the company managing its compiler.

    Java allows programs to be ported across many OSes or platforms with minimal efforts, thus decreasing bugs and project costs.

    However, I do not like Oracle's efforts at making Java secure.
    Reply
  • ko888
    d_kuhnI just disabled or uninstalled Java to avoid the issue... I'm curious to see how much trouble it causes (web pages not loading properly). So far (2 days) not one problem.If you're not running Java applications and/or applets you shouldn't encounter any problems.

    The web browser deals with JavaScript which is different than an an application developed using the Java programming language and requires the JRE to be able to run it.
    Reply