Oracle Java: 20 new vulnerabilities patched
Welcome to the n-th iteration of "patch now" for Java on Workstations. Oracle today published their quarterly patch bulletin, and Java SE is once again prominently featured. This Critical Patch Update (CPU) contains 20 new security fixes for Oracle Java SE. Most of the vulnerabilities are remotely exploitable without authentication, and CVSS scores of 10 and 9.3 indicate that they can be readily exploited, and lead to full compromise. Which means that keystroke loggers, ebanking trojans, etc, will soon follow.
Oracle/Java is probably by now one of the most successful charities in the world, it continues to do an outstanding job at enabling significant wealth transfer to support poor cyber criminals and their families. Except that the sources of the funds usually have no idea, and didn't agree to donate directly from their bank accounts ...
After the past three years of repeated gaping holes in Java, we hope that by now you have found a way to remove Java from your computers entirely, or to at least no longer run the Java plugin within the web browser. Otherwise, it is back to the hamster wheel, to yet again re-test all your applications that still require Java, to check for the inevitable incompatibilities with this latest release, and then to expedite the roll-out. This is definitely a patch that you don't want to skip or delay.
The full Oracle patch bulletin is available here: http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html#AppendixJAVA .
The other Oracle patches (for database, etc) released in today's patch CPU are still under analysis here at SANS ISC. I'll post about them later, if warranted.
Comments
Anonymous
Jul 16th 2014
1 decade ago
Yes, unfortunately.
Lots of applications in the educational and public arena either run in a JVM, or utilize webpages that leverage Java.
One entity for which I consulted a while ago uses a product that, just a few months ago (around April of 2014 or so) finally OK'd the use of Java 7 Update 25 (from June 2013). Anything newer than that, and their app breaks.
A whole suite of special ed testing and scoring software that many school districts use still uses Java 1.4.x.
I could go on...
Anonymous
Jul 16th 2014
1 decade ago
Anonymous
Jul 17th 2014
1 decade ago
Anonymous
Jul 17th 2014
1 decade ago
Anonymous
Jul 17th 2014
1 decade ago
I HATE JAVA!!
Anonymous
Jul 17th 2014
1 decade ago
Anonymous
Jul 24th 2014
1 decade ago
as a software engineering student, i do follow this site based on
http://java.tv/how-to-learn-software-engineering/
article.
I hope i will be knowledgefull engineer
Anonymous
May 18th 2015
9 years ago