Tuesday, February 5, 2013

Latest Java update patches 50 holes, including critical zero-day flaw

Java - logo

Oracle was convinced to issue an update for its Java plugin two weeks early this month in order to squash a few critical bugs that resulted in a torrent of bad press. Everyone from security bloggers to the federal government had warned the general public against using Java after it was discovered that the exploit was being targeted in the wild. Apple blocked Java via OS X’s Xprotect, and Mozilla and Google both flipped the switch on their browsers to blacklist the plug-in.

According to security researcher Brian Krebs, the most critical fix in the most recent Java update addresses an issue in Oracle’s new trust mechanism. The initial change made it so that Java requested authorization from end users whenever unsigned, untrusted code was encountered. While it was an excellent step in the right direction in terms of improving the overall security of Java, it was also very easy to circumvent.

In total, the Java update takes care of 50 security flaws. Unsurprisingly, Oracle is recommending that all users update as soon as possible due to the severe risk posed by surfing with a vulnerable version.
If you’ve still got Java installed on your system, keep your eyes peeled for an update notification. If you’d rather not wait for Oracle’s updater to answer the call, just head over to the Java download page and grab the latest version. Mac users will be relieved to know that the new release matches Xprotect’s minimum version expectation — and that means no more terminal hacking is required just so you can play Minecraft.

One more thing: just make sure the update you’re installing is a legitimate one, not some craftily-designed malware.



Post a Comment