Friday, 21 June 2013

Apple rushes Java patch as Oracle fixes 40 critical vulnerabilities

Apple logo
Apple has released a security update to protect Mac OS X users from 40 freshly discovered vulnerabilities in Oracle's Java platform.
The iPhone maker released the update hours after Oracle announced the critical patch, promising it will protect Mac OS X users from a host of vulnerabilities in the Java platform.
Apple said: "Multiple vulnerabilities existed in Java 1.6.0_45, the most serious of which may allow an untrusted Java applet to execute arbitrary code outside the Java sandbox.
"Visiting a web page containing a maliciously crafted untrusted Java applet may lead to arbitrary code execution with the privileges of the current user. These issues were addressed by updating to Java version 1.6.0_51."
The Java for OS X 2013-004 and Mac OS X v10.6 Update 16 patches are available for download now on Apple's website and relate to its Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7, OS X Lion Server v10.7 and OS X Mountain Lion v10.8 operating systems.
The Apple patch comes alongside a separate one from Oracle, made for other operating systems. The firm confirmed it relates to 40 new vulnerabilities in the platform and called for users to update as quickly as possible to protect themselves from opportunistic cyber crooks.
"Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible. This Critical Patch Update contains 40 new security fixes across Java SE products, of which 4 are applicable to server deployments of Java," Oracle said in its release.
The patch is the latest development in Oracle's ongoing battle to secure the Java platform. Since the year began the enterprise giant has been forced to release a number of security updates – one of which was off cycle – to address a number of vulnerabilities in the platform.
The vulnerabilities have led numerous security professionals to criticise Oracle for its lax security. Most recently WhiteHat Security chief technology officer and co-founder, Jeremiah Grossman, criticised Oracle saying it is still being too slow with its security update cycle.
"Java is definitely a cesspool of vulnerabilities waiting to be discovered, some of which will be patched and exploited. The thing to closely monitor is how fast end users are actually patching, not just how many vulnerabilities are being addressed when the patch is made available. The Java ecosystem is notoriously slow, which is why I recommend uninstalling Java unless you really need it, then you don't have to worry about the endless slew of patches," he said.
Rik Ferguson, global vice president of security research at Trend Micro, added: "The vast majority of the vulnerabilities fixed are critical and could result in 'remote exploitation without authentication', which basically means that a machine can be attacked over a network, resulting in successful exploit.
"The best thing to do is simply to remove Java from your machine entirely, which has been the advice for some time now. The next best option is to stop using Java in the browser, specifically in the browser that you use regularly. If Java is absolutely indispensable for internal application use then it would be most effective to limit its use to a secondary browser, one that does not have the ability to access the internet – through proxy configuration for example."

No comments:

Post a Comment