Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

(Yet another) Critical Java Patch Update


  • Please log in to reply
No replies to this topic

#1 Union_Thug

Union_Thug

    Brooklyn Born Bleep


  • Members
  • 1,903 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:is everything
  • Local time:12:30 AM

Posted 02 February 2013 - 06:22 AM

Oracle Java SE Critical Patch Update Advisory - February 2013

Note: The original Critical Patch Update for Java SE February 2013 was scheduled to be released on February 19th, but Oracle decided to accelerate the release of this Critical Patch Update because active exploitation "in the wild" of one of the vulnerabilities affecting the Java Runtime Environment (JRE) in desktop browsers, was addressed with this Critical Patch Update.

Description

A Critical Patch Update is a collection of patches for multiple security vulnerabilities. The Critical Patch Update for Java SE also includes non-security fixes. Critical Patch Updates are cumulative and each advisory describes only the security fixes added since the previous Critical Patch Update and Security Alert. Thus, prior Critical Patch Update and Security Alert advisories should be reviewed for information regarding earlier accumulated security fixes. Please refer to:

Critical Patch Updates and Security Alerts for information about Oracle Security Advisories.

Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible. This Critical Patch Update contains 50 new security fixes across Java SE products.


Oracle Software Security Assurance Blog https://blogs.oracle.com/security/

Oracle just released the February 2013 Critical Patch Update for Java SE. The original Critical Patch Update for Java SE was scheduled on February 19th, but Oracle decided to accelerate the release of this Critical Patch Update because active exploitation "in the wild" of one of the vulnerabilities affecting the Java Runtime Environment (JRE) in desktop browsers, was addressed with this Critical Patch Update.

In addition to a number of security in-depth fixes, the February 2013 Critical Patch Update for Java SE contains fixes for 50 security vulnerabilities. 44 of these vulnerabilities only affect client deployment of Java (e.g., Java in Internet browsers). In other words, these vulnerabilities can only be exploited on desktops through Java Web Start applications or Java applets. In addition, one vulnerability affects the installation process of client deployment of Java (i.e. installation of the Java Runtime Environment on desktops). Note also that this Critical Patch Update includes the fixes that were previously released through Security Alert CVE-2013-0422.

snip-

As stated at the beginning of this blog, Oracle decided to release this Critical Patch Update earlier than planned. After receiving reports of a vulnerability in the Java Runtime Environment (JRE) in desktop browsers, Oracle quickly confirmed these reports, and then proceeded with accelerating normal release testing around the upcoming Critical Patch Update distribution, which already contained a fix for the issue. Oracle felt that, releasing this Critical Patch Update two weeks ahead of our intended schedule, instead of releasing a one-off fix through a Security Alert, would be more effective in helping preserve the security posture of Java customers. The size of this Critical Patch Update, as well as its early publication, demonstrate Oracle's intention to accelerate the release of Java fixes, particularly to help address the security worthiness of the Java Runtime Environment (JRE) in desktop browsers.

For more information:

The advisory for the February 2013 Critical Patch Update is located at http://www.oracle.com/technetwork/topics/security/javacpufeb2013-1841061.html

More information about setting the security level in the Java client is available at http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/client-security.html

More information about Oracle Software Security Assurance is located at http://www.oracle.com/us/support/assurance/index.html


Edited by Union_Thug, 02 February 2013 - 06:23 AM.


BC AdBot (Login to Remove)

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users