All but one remotely exploitable without authentication

51 holes plugged in latest Java security update

Elliot Bentley
java-patched2

Massive patch is first of new quarterly update schedule, but security researchers say it’s still not enough.

 

51
vulnerabilities have been patched in the
latest Java security update
, the first of a
new quarterly cycle. Until now, Java’s official patch release
schedule has been three times a year – although the emergence of
dangerous
zero-day exploits
have forced Oracle to
issue two out-of-cycle
emergency patches
over the past twelve
months.

Of the
51 Java vulnerabilities
patched in this
update, all but one are remotely exploitable without the need for a
username and password, and 12 were given the maximum
possible CVSS score of
10/10.

As with the majority of high-profile Java
vulnerabilities, almost all target browser Java applets, and as
such security advisors continue to recommend that users disable the
browser plugin (or, if possible, remove it altogether).
However,
security firm Qualys note
that two “highly
critical” vulnerabilities of the 51 can also apply to server
installation.

The new schedule is in line with Oracle’s
quarterly Critical Patch Update (CPU) bulletin, which also covers
the company’s other software. VirtualBox, MySQL Server and
GlassFish are among the many other applications that have received
security updates this week.

Last month, Trend Micro
highlighted a new wave of attackers
, who are
taking advantage of weaknesses in Java’s native layer. Though
difficult to pull off, it appears knowledge of such exploits has
become widespread, with highly dangerous results – infiltration of
the native layer allows for execution of arbitrary code.

On the
Sophos Naked Security blog
, researcher
Chester Wisniewski praised the move to a more regular cycle, but
said it still wasn’t regular enough – especially since Microsoft
and Adobe provide monthly patches for their browser
plugins.

“Put the award on the shelf in your lobby, sell the ten
million dollar boat and hire the engineers needed to update the
Java patch cycle to monthly with the spare cash,” concluded
Wisniewski, referring to Oracle’s recent
America’s Cup win
. “3+ billion devices will thank
you.”

Author
Comments
comments powered by Disqus