Go ahead and update Java -- or disable it if you don't
remember the last time you actually used it on the Web: Oracle's latest
patch, released Tuesday, fixes 25 vulnerabilities in the aging platform,
including one that's already being exploited in attacks.
The patched products include Oracle Database, Oracle Fusion
Middleware, Oracle Hyperion, Oracle Enterprise Manager, Oracle
E-Business Suite, Oracle Supply Chain Suite, Oracle PeopleSoft
Enterprise, Oracle Siebel CRM, Oracle Communications Applications,
Oracle Java SE, Oracle Sun Systems Products Suite, Oracle Linux and
Virtualization, and Oracle MySQL.
Oracle released Java 8 Update 51, Java 7 Update 85 and Java 6
Update 101. However, only the Java 8 update is publicly available,
because general support for Java 7 and Java 6 ended some time ago. Only
customers with extended support contracts continue to get access to
security patches for those versions.
Out of the
25 vulnerabilities fixed in Java, 23 can be exploited remotely without
authentication. Sixteen flaws affect only the client deployment and five
affect both client and server deployments.
One fix is specific to the Mac platform and four fixes are
for the Java Secure Socket Extension (JSSE), said Eric Maurice, director
of software security assurance at Oracle, in a
blog post.
The most high-risk vulnerability fixed in this Java update
is known as CVE-2015-2590 and had zero-day status until this update.
This means attackers were already exploiting it while no fix was
available.
The attacks were launched by a cyberespionage group known as
Pawn Storm or APT28 that is believed to have ties to Russia's
intelligence services. The group has been active since 2007 and
typically targets military, government and media organizations.
While Java is still widely used for Web-based applications
in business environments, it's rarely seen on consumer-oriented websites
today. Therefore, many users don't need the Java browser plug-in, which
is the target of the majority of Java exploits.
Manually removing or disabling Java from every browser
installed on a computer is possible, but the plug-in might get
re-enabled with the next Java update. And uninstalling the Java runtime
completely from the system is often not viable, because there are still
popular desktop applications that need it.
For companies that do need Java support on the Web,
defending against zero-day exploits can be a bit more complicated.
However, there are options to significantly reduce the likelihood of
attacks.
Internet Explorer
has a feature
that administrators can use to restrict which websites are allowed to
load Java content, like only those hosting relevant business
applications. And browsers like Mozilla Firefox and Google Chrome have a
click-to-play option that can be used to prevent the automatic
execution of Web-based Java content.
Comments
Post a Comment