BeyondTrust

Security In Context

Bringing you news and commentary on solutions and strategies for protecting your critical IT infrastructure.

Java: Sizeable Critical Patch Update and Two Sugars, Please

Post by BeyondTrust Research Team April 15, 2013

Oracle is rolling out yet another Critical Patch Update (CPU) for Java – and this time they’ve fixed 39 remotely exploitable vulnerabilities. This is not to say that all of these vulnerabilities may provide an attacker with remote code execution. However, the highest CVSS Base Score of all the vulnerabilities was a 10.0, meaning that an attacker would have gained a considerable amount of capabilities on the target machine if the vulnerability was properly exploited. The amount of vulnerabilities with a 10.0 CVSS score is not known, but if it is anything like February’s CPU, there may be a considerable amount.

This Critical Patch Update fixes a total of 42 security fixes, which is slightly outclassed by February’s CPU which brought 55 security updates, including the updated February re-release prompted by attacks occurring in the wild.

April’s CPU is coming out tomorrow, April 16th, with another CPU scheduled for June 18th, 2013. Oracle had promised in the past that they would be increasing the frequency of Java patches, so there is some likelihood of another unscheduled patch. As always, ensure that your systems that utilize Java are up-to-date using Retina CS, which also provides Java patching. If you have systems with Java installed that do not need Java, uninstall Java immediately and save yourself the headache.

Update: Java 7 Update 21 and Java 6 Update 45 have been released! For more information about the patch contents, check out Oracle’s risk matrix, which details the CVEs addressed in this latest patch. For more information about a few exploitable vulnerabilities that were patched in this update, read Adam Gowdiak’s (Security Explorations) description of some of the vulnerabilities they discovered and reported to Oracle. Also included in this update are a few changes to Java’s security prompts, which will prove useful for avoiding malicious Java applets that were self-signed or unsigned.

Tags:
, , , , , ,

Leave a Reply

Additional articles

April VEF Participant Wins a Apple iPad mini

Every month we host our Vulnerability Expert Forum (VEF) webinar. This is a time where our experts share valuable insight regarding new vulnerabilities that are discovered and the actions that need to be taken as a result. It’s a quick way to get up to speed on current potential risks to your organization and a way to…

Post by Qui Cao April 24, 2014
smart rules manager for vulnerabilities - v2

A New Way of Looking at Vulnerabilities in Your Environment

Assets, users, vulnerabilities and exploits; all are common themes in my posts on BeyondInsight. With BeyondInsight v5.1, we unveiled a new way to view exploitable assets. Sure, most vulnerability management solutions link vulnerability data to exploit information, allowing tools like NeXpose and QualysGuard to list an asset, its vulnerabilities, and any related exploits. BeyondInsight does…

Post by Morey Haber April 23, 2014
Tags:
, , , , ,
smart rules manager for vulnerabilities

Staying on Top of the Latest Vulnerabilities with BeyondInsight v5.1

It’s no secret that dozens of new OS and application vulnerabilities are revealed every day. Staying on top of these new exposures normally requires paying for services or subscribing to multiple RSS feeds. BeyondInsight 5.1 provides customers with another option: a built-in, customizable vulnerability alerting system that delivers up-to-date information on the latest vulnerabilities in…

Post by Morey Haber April 21, 2014
Tags:
, , , , , ,