Oracle Issues Update for Java 7

Oracle (News - Alert) has issued an update for Java 7 to address five security concerns – at least three of which are considered serious vulnerabilities.

The update features four fixes for vulnerabilities associated with Java Web Start applications on desktops and Java applets in Internet browsers, according to CRN. The fifth fix relates to server deployment of the Java Secure Socket Extension and SSL/TLS implementation.

"Due to the severity of the vulnerabilities fixed in this Critical Patch Update, Oracle recommends that these fixes be applied as soon as possible," Eric Maurice, director of software assurance at Oracle, said in a recent blog post.

The five fixes were not released on Feb. 1 when Oracle sped up the release of the earlier Critical Patch Update. “As a result of the accelerated release of the Critical Patch Update, Oracle did not include a small number of fixes initially intended for inclusion in the February 2013 Critical Patch Update for Java SE,” Maurice explained in an earlier blog post.  

Oracle – which will continue to speed up the release of fixes for Java – said it will release a Critical Patch Update for Java SE on April 16, 2013, at the same time as the normally scheduled Critical Patch Update for all non-Java products.

In a related matter, Apple and Facebook (News - Alert) saw recent attacks on employee laptops. The hackers used a hole in Java to attack Apple’s computers, news reports said. Apple (News - Alert) suspects the attack come from the same Chinese hackers who attacked Facebook.

These were likely related to Java zero-day vulnerabilities. Such threats take advantage of vulnerabilities in an application that previously was not known.

In response, Apple released an update for Mac computers. The update uninstalls the Apple-provided Java applet plug-in from all Web browsers.

In addition, The New York Times said a targeted attack through a Java zero-day vulnerability got access to employee computers. The Wall Street Journal and Twitter (News - Alert) were also victims of an attack, news reports said. On Jan. 13, Oracle issued a new version of Java 7 to fix a zero-day vulnerability, according to TMCnet.  It is believed by some sector watchers that the most recent attacks on Apple and Facebook employees were associated with a wider attack, which attempted to impact many people, CRN reported.