Wednesday, January 16, 2013

New Patch Fixing Critical Java Hole Released: Update Your Java Now!

A new Java patch has been released repairing a critical security vulnerability which reportedly open doors for large scale cyberattacks. The vulnerability, which was so critical it prompted the U.S. Department of Homeland Security to issue warnings, affected all systems running Java 7.10.

The new release from Oracle, Java 7 Update 11, is said to close not only all the holes penetrable in the previous version but also includes a fix for another previously undisclosed critical vulnerability. Oracle also confirmed that the flaws in question do not affect Java 6 or earlier versions of the runtime. Oracle urges users to update as soon as possible.

The security alert for CVE-2013-0422 notes in its Risk Matrix that CVE-2012-3174, another critical, remotely exploitable vulnerability, is also being fixed in the update. Little is known of the equally severe vulnerability except that its CVE number was apparently assigned in June 2011 and its discovery appears to be credited to a Brian Murphy via TippingPoint.

Oracle's quick response to this high profile, easily exploited vulnerability is commendable. However, I for one suggest leaving Java disabled or un-installed unless you absolutely need it. This is the second major issue with Java in just a few short months. Given that the on-going consensus amongst security experts is to leave Java disabled in the browser especially as few sites these days actually use Java. The Windows control panel for Java also allows users to easily disable the Java plugin giving you the option of keeping it installed and only enabling it as needed.

Instructions on how to disable Java in Chrome, Firefox and Safari are also available from their respective companies.

No comments:

Post a Comment

All comments will be moderate for content, please be patient as your comment will appear as soon as it has been reviewed.

Thank you