Oracle patches serious Java flaw
Oracle has patched a major flaw in Java that had security experts warning users to delete it from their computers.
On Sunday, researchers at FireEye reported they had uncovered a serious hole in Java, with senior staff scientist Atif Mushtaq telling PC Pro that it “is a very serious issue and it needs to be addressed as soon as possible”.
While issuing a patch a few days after it being discovered may seem quick action, it was enough time for the exploit to be worked into a major malware toolkit. Plus, another research firm, Security Explorations, said it reported the vulnerability to Oracle months ago – with no response.
Find out more
FireEye reveals how it discovered the Java flaw
Oracle did not acknowledge the problem until late last night, but did reference the security reports as it rolled out an out-of-cycle upgrade to Java, ranking three of the four flaws it addressed as top-level threats.
“Due to the high severity of these vulnerabilities, Oracle recommends that customers apply this Security Alert as soon as possible,” software security assurance director Eric Maurice said in a Oracle blog post. “Furthermore, note that the technical details of these vulnerabilities are widely available on the internet and Oracle has received external reports that these vulnerabilities are being actively exploited in the wild.”
Chester Wisniewski, senior security advisor at Sophos, noted that the update also included patches for previously unknown flaws, suggesting those vulnerabilities may also already be in use by hackers.
“The good news is customers who require Java in their environments can now deploy an official fix and proceed with less risk,” he added in a blog post. “The bad news is one of the fixes they shipped out affects Java 6, so everyone needs to patch, not just those who were running Java 7.”
He added that it’s still a wise move to delete Java from your machine, if you don’t actually use it. “If you can get by without it, you should,” Wisniewski said. “That is true for any application that interfaces with the internet. Fewer programs means fewer vulnerabilities.”