Oracle Corp. today released an update for its Java SE software that
fixes at least 42 security flaws in the widely-installed program and
associated browser plugin. The Java update also introduces new features
designed to alert users about the security risks of running certain Java
content.
Java 7 Update 21 contains 42 new security fixes
for Oracle Java SE. A majority of these flaws are
browse-to–a-hacked-site-and-get-infected vulnerabilities. According to
Oracle, “39 of these vulnerabilities may be remotely exploitable
without authentication, i.e., may be exploited over a network without
the need for a username and password” [emphasis mine].There does not appear to be any update for Java 6. Oracle was to stop shipping security fixes for Java 6 in February, but it broke from that schedule last month when it shipped an emergency update for Java 6 to fix a flaw that was being used in active attacks. When I updated a machine running the latest Java 6 version (Update 43) it prompted me to install Java 7 Update 21. Update, 5:42 p.m. ET: Twitter follower @DonaldOJDK notes that Java 6 Update 45 is indeed available here.
Java
7 Update 21 also introduces some new security warnings and message
prompts for users who keep the program plugged into a Web browser (on
installation and updating, Java adds itself as an active browser
plugin). Oracle said
the messages that will be presented depend upon different risk factors,
such as using old versions of Java or running applet code that is not
signed from a trusted Certificate Authority.Apps that present a lower risk display a simple informational message. This includes an option to prevent showing similar messages for apps from the same publisher in the future. Java applications considered to be higher risk — such as those that use an untrusted or expired certificate — will be accompanied by a prompt with a yellow exclamation point in a yellow warning triangle.
No comments:
Post a Comment