Oracle fixes five more Java flaws

By on
Oracle fixes five more Java flaws

Oracle has addressed five additional vulnerabilities in Java 7, issuing a security update this week that follows a rushed Java release earlier this month.

Java 7 Update 15 includes four fixes that address client-side vulnerabilities that could be exploited through Java Web Start applications on desktops and Java applets in internet browsers, according to Eric Maurice, director of software assurance at Oracle. Three of the flaws received the highest rating in the common vulnerability scoring system.

"Due to the severity of the vulnerabilities fixed in this Critical Patch Update, Oracle recommends that these fixes be applied as soon as possible," Maurice said in a blog post about the update.

The Java update's fifth fix impacts server deployment of the Java Secure Socket Extension, addressing an issue with SSL/TLS implementations that was disclosed by security researchers.

Maurice said in the blog that Oracle is going to continue to accelerate the release of Java fixes to "help address the security worthiness of the Java Runtime Environment in desktop browsers." The next security update for Java SE is scheduled for April 16.

Java has faced a hailstorm of issues with recent zero-day vulnerabilities surfacing in widespread attacks. Apple and Facebook recently disclosed attacks on some employee laptops, targeting a patched Java zero-day vulnerability. Both firms said the attacks did not expose customer data.

Meanwhile, The New York Times published a report documenting a targeted attack using a Java zero-day flaw to gain access to employee devices and ultimately conduct surveillance on specific journalists.

Experts said that although a zero-day exploit was used in the attacks on Apple and Facebook employees, it could very likely be part of a broader attack. Employees from both firms had visited the iPhoneDevSDK developer website, where attackers had compromised the site and set up an attack platform to exploit anyone who visited the site's forum.

Representatives from the site acknowledged that an administrator account was compromised and used to inject malicious JavaScript into the site.

This article originally appeared at

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © 2018 The Channel Company, LLC. All rights reserved.

Most Read Articles

Log In

  |  Forgot your password?