All but one remotely exploitable without authentication

51 holes plugged in latest Java security update

Elliot Bentley

Massive patch is first of new quarterly update schedule, but security researchers say it’s still not enough.


51 vulnerabilities have been patched in the latest Java security update, the first of a new quarterly cycle. Until now, Java’s official patch release schedule has been three times a year – although the emergence of dangerous zero-day exploits have forced Oracle to issue two out-of-cycle emergency patches over the past twelve months.

Of the 51 Java vulnerabilities patched in this update, all but one are remotely exploitable without the need for a username and password, and 12 were given the maximum possible CVSS score of 10/10.

As with the majority of high-profile Java vulnerabilities, almost all target browser Java applets, and as such security advisors continue to recommend that users disable the browser plugin (or, if possible, remove it altogether). However, security firm Qualys note that two “highly critical” vulnerabilities of the 51 can also apply to server installation.

The new schedule is in line with Oracle’s quarterly Critical Patch Update (CPU) bulletin, which also covers the company’s other software. VirtualBox, MySQL Server and GlassFish are among the many other applications that have received security updates this week.

Last month, Trend Micro highlighted a new wave of attackers, who are taking advantage of weaknesses in Java’s native layer. Though difficult to pull off, it appears knowledge of such exploits has become widespread, with highly dangerous results – infiltration of the native layer allows for execution of arbitrary code.

On the Sophos Naked Security blog, researcher Chester Wisniewski praised the move to a more regular cycle, but said it still wasn’t regular enough – especially since Microsoft and Adobe provide monthly patches for their browser plugins.

“Put the award on the shelf in your lobby, sell the ten million dollar boat and hire the engineers needed to update the Java patch cycle to monthly with the spare cash,” concluded Wisniewski, referring to Oracle’s recent America’s Cup win. “3+ billion devices will thank you.”
Inline Feedbacks
View all comments