Oracle Corp. yesterday announced plans to hasten its Java patch cycle even as it rolled out five new fixes for the embattled software which has been under attack by malware exploiting zero-day vulnerabilities.
Oracle’s announcement came on a day when Apple Inc. reported that it suffered a malware attack tied of a vulnerability in a Java plug-in for browsers.
Apple said it has isolated the infected systems from the rest of its network and that there was “no evidence” that any data was stolen.
Java 7 Update 15 and Java 6 Update 41, tackle five vulnerabilities which an earlier emergency Java update on February 1 failed to take care of.
Image from ShutterStock.com
“Oracle’s intent is to continue to accelerate the release of Java fixes, particularly to help address the security worthiness of the Java Runtime Environment (JRE) in desktop browsers,” Eric Maurice, director of software security assurance at Oracle, wrote in a blog yesterday. “As a result, we will be issuing a Critical Patch Update to Java SE on April 16, 2013 at the same time as the normally scheduled Critical Patch Update for all non-Java products.”
Experts worry over Oracle’s security track record
‘Redesign’ needed to fix Java security woes?
The next schedule releases for Critical Patch Update for Java SE will be: April 16, June 18, October 15 this year and January 14, 2014
In statement yesterday, Apple said malware infected the compay’s computers through a Web site for software developers. The company said it is releasing a tool for Mac users which scans the machines and removes the Java malware.
All but one of the vulnerabilities fixed on Tuesday apply to client deployment of Java. Four of the five flaws dealt with can be exploited through Java Web Start Applications on PC and Java applets in browsers.
Three of those four vulnerabilities are rated 10 on the Common Vulnerability Scoring System scale. That is the highest rating which means they are critical and could completely compromise the integrity and availability of systems that have Java running on administrator privilege, said Maurice.
The impact will be less on systems such as Linux or Solaris where Java does not have administrator privileges.
For more information and to download the updates click here