Tuesday Apr 16, 2013

April 2013 Critical Patch Update for Java SE Released

Hi, this is Eric Maurice.

Oracle today released two Critical Patch Updates: the April 2013 Critical Patch Update and the April 2013 Critical Patch Update for Java SE.  The previous blog entry provided a summary of the April 2013 Critical Patch Update, and this entry will discuss the content of the Critical Patch Update for Java SE.

The April 2013 Critical Patch Update for Java SE provides 42 new security fixes.  39 of the vulnerabilities fixed in this Critical Patch Update are remotely exploitable without authentication.  The maximum CVSS Base Score for these vulnerabilities is 10.0, and this score affect 19 different vulnerabilities. 

Out of the 42 vulnerabilities, only 2 can affect server deployments of Java.  Server exploitation can only occur as a result of these bugs when malicious data is supplied into specific APIs on the server (e.g., through a web service), and one of these bugs actually require local access to be exploited. 

As usual, Oracle recommends that this Critical Patch Update be applied as soon as possible.  Desktop users can install this new version from java.com or through the Java Autoupdate

For More Information:

The advisory for the April 2013 Critical Patch Update for Java SE is located at http://www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html.

Monday Mar 04, 2013

Security Alert CVE-2013-1493 Released

Hello, this is Eric Maurice.

Today Oracle released Security Alert CVE-2013-1493 to address two vulnerabilities affecting Java running in web browsers (CVE-2013-1493 and CVE-2013-0809).  One of these vulnerabilities (CVE-2013-1493) has recently been reported as being actively exploited by attackers to maliciously install the McRat executable onto unsuspecting users’ machines.  Both vulnerabilities affect the 2D component of Java SE.  These vulnerabilities are not applicable to Java running on servers, standalone Java desktop applications or embedded Java applications.  They also do not affect Oracle server-based software.  These vulnerabilities have each received a CVSS Base Score of 10.0.

Though reports of active exploitation of vulnerability CVE-2013-1493 were recently received, this bug was originally reported to Oracle on February 1st 2013, unfortunately too late to be included in the February 19th release of the Critical Patch Update for Java SE. 

The company intended to include a fix for CVE-2013-1493 in the April 16, 2013 Critical Patch Update for Java SE (note that Oracle recently announced its intent to have an additional Java SE security release on this date in addition to those previously scheduled in June and October of 2013).  However, in light of the reports of active exploitation of CVE-2013-1493, and in order to help maintain the security posture of all Java SE users, Oracle decided to release a fix for this vulnerability and another closely related bug as soon as possible through this Security Alert.

As always, Oracle recommends that this Security Alert be applied as soon as possible.  Desktop users can install this new version from java.com or through the Java autoupdate. Desktop users should also be aware that Oracle has recently switched Java security settings to “high” by default.  This high security setting results in requiring users to expressly authorize the execution of applets which are either unsigned or are self-signed.  As a result, unsuspecting users visiting malicious web sites will be notified before an applet is run and will gain the ability to deny the execution of the potentially malicious applet.  In order to protect themselves, desktop users should only allow the execution of applets when they expect such applets and trust their origin.

As stated in previous blogs, Oracle is committed to accelerating the release of security fixes for Java SE, particularly to help address the security-worthiness of Java running in browsers.  The quick release of this Security Alert, the higher number of Java SE fixes included in recent Critical Patch Updates, and the announcement of an additional security release date for Java SE (the April 16th Critical Patch Update for Java SE) are examples of this commitment.

 

For more information:

The Advisory for Security Alert CVE-2013-1493 can be found at http://www.oracle.com/technetwork/topics/security/alert-cve-2013-1493-1915081.html

More information about Oracle Software Security Assurance can be found at http://www.oracle.com/us/support/assurance/index.html. 

Tuesday Jun 12, 2012

June 2012 Critical Patch Update for Java SE Released

Hi, this is Eric Maurice.

Oracle just released the June 2012 Critical Patch Update for Java SE.  This Critical Patch Update provides 14 new security fixes across Java SE products.  As discussed in previous blog entries, Critical Patch Updates for Java SE will, for the foreseeable future, continue to be released on a separate schedule than that of other Oracle products due to previous commitments made to Java customers. 

12 of the 14 Java SE vulnerabilities fixed in this Critical Patch Update may be remotely exploitable without authentication.  6 of these vulnerabilities have a CVSS Base Score of 10.0.  In accordance with Oracle’s policies, these CVSS 10 scores represent instances where a user running a Java applet or Java Web Start application has administrator privileges (as is typical on Windows XP).  When the user does not run with administrator privileges (typical on the Solaris and Linux operating systems), the corresponding CVSS impact scores for Confidentiality, Integrity, and Availability for these vulnerabilities would be "Partial" instead of "Complete", thus lowering these CVSS Base Scores to 7.5.

Due to the high severity of these vulnerabilities, Oracle recommends that customers obtain and apply these security fixes as soon as possible:

In addition, Oracle recommends removing old an unused versions  of Java as the latest version is always the recommended version as it contains the most recent enhancements, and bug and security fixes. 

For more information:

•Instructions on removing older (and less secure) versions of Java can be found at http://java.com/en/download/faq/remove_olderversions.xml 

•Users can verify that they’re running the most recent version of Java by visiting: http://java.com/en/download/installed.jsp  

•The Advisory for the June 2012 Critical Patch Update for Java SE is located at http://www.oracle.com/technetwork/topics/security/javacpujun2012-1515912.html

About

This blog provides insight about key aspects of Oracle Software Security Assurance programs.

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
11
12
13
14
16
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today