Oracle releases patch for latest Java hole - update now!

Filed Under: Featured, Malware, Vulnerability

The big - no, the vast! the enormous! - security news over the weekend has been CVE-2013-0422.

That's the recent Java security hole that lets Java applets in your browser escape from Java's security strictures.

That means a Java applet (which is usually very limited in the sort of changes it can make to your PC) can infect your PC with malware without so much as a pop-up or an are-you-sure.

This vulnerability became a huge problem in short order because it was quickly included in exploit packs such as Cool EK and Nuclear Pack. Exploit packs are pre-packaged crimeware-as-a-service tools you can rent in order to have your malware distributed for you.

So here's some good news: Oracle has been on the ball and has already come out with a patch. Java 7 Update 11 fixes both CVE-2013-0422 and a second vulnerability.

Oracle's offical repository for the latest version is the Java Downloads for All Operating Systems page.

In the database behemoth's own words:

Due to the severity of these vulnerabilities, the public disclosure of technical details and the reported exploitation of CVE-2013-0422 "in the wild," Oracle strongly recommends that customers apply the updates provided by this Security Alert as soon as possible.

This update also changes the default Java Security Level setting from Medium to High.

As Oracle explains, at the High setting, you are "always prompted before any unsigned Java applet or Java Web Start application is run."

There's not an enormous amount to say about the patch beyond that. Fix early, fix often!

Note that the vulnerabilities Oracle just patched don't apply to standalone Java applications or server-side Java installs. They apply only to applets, which run inside your browser.

Your browser routinely and unavoidably puts you in harm's way, since it inevitably downloads and attempts to parse, process and display, untrusted content.

So, even after updating, I recommend that you turn Java off inside your browser unless you know you need it.

If there are only one or two specific sites for which you need Java, it can be a pain to keep remembering to turn it on, and it's easy to forget to turn it off again afterwards.

In such cases, you may want to consider running two browsers, one with Java enabled and one without.

Of course, if you do this, you need to keep both browsers patched - even (or perhaps especially, since it's the one with Java turned on) the one you only use infrequently.

By the way, if you do turn Java off in your browser, or think you did, it's worth checking.

A handy place to do so is Javatester.org, a web page that attempts to launch a tiny applet to get the answer "from the horse's mouth", as it puts it.

If you have Java turned off, it will confirm this for you.

If you have Java turned on, it will confirmation the precise version number from the Java Runtime Environment (JRE) itself. This means you can be sure you're running the version you expect.

And now? Stop reading, start patching!

, , , , , ,

You might like

11 Responses to Oracle releases patch for latest Java hole - update now!

  1. Mary · 560 days ago

    On javatester.org it says this connection is untrusted!

    • Paul Ducklin · 560 days ago

      What, if I may ask, said that?

      My "tests" were to visit the URI http://javatester.org/version.html from:

      * FF 18 on OS X 10.8
      * Safari 6 on OS X 10.8
      * IE 10 on Windows 8
      * FF 19 Beta on Android 4.2
      * Chrome 18 on Android 4.2

      Didn't have any warnings or problems...

  2. Eamonn · 560 days ago

    I receive Sophos notifications via Facebook. And very useful they are.....

    However, Facebook requires Java to be enabled, or many of the FB functions don't work - e.g. "Commenting" back to Sophos via the Sophos FB page.

    • Paul Ducklin · 560 days ago

      I use Facebook with Java turned off.

      Are you sure you aren't confusing Java with JavaScript? The latter has almost nothing in common with the former except for the letters J-A-V-A. That "similarity" is just an accident of history.

      • Eamonn · 560 days ago

        Hi Paul and thanks. I will have to dig deeper.
        Version 11 now shows me the option to disable Java in the security settings. If I disable, I can use Internet Explorer, but not Chrome.
        As I am in Western Europe it's a bit late for me now :-)
        So I'll review later on Monday!

        • avis · 557 days ago

          I Have taken java off( i have uninstalled it )and i can still use google chrome as before in fact i have'nt found any difference,hope that will help.

  3. Tena · 560 days ago

    Not seeing where to download the "fix". Maybe it's time to get my eyes re-examined...

  4. Catch22 · 560 days ago

    I went to Javatester before downloading the patch, in FF and Chrome, and each told me the browser had Java disabled. I then downloaded the patch, briefly enabled and re-disabled Java in both browsers and tried again. Chrome still told me that Java was disabled, but FF asked me if I wanted to run the app - even though it was (and still is) showing as 'Disabled' in the FF add-ons manager.

    Do you know why this is, and why I can't seem to turn Java off in FF now? At least I can still cancel any request, but I'd rather it was fully disabled in the first place.

    I'd appreciate your advice.

  5. Paul Ducklin · 560 days ago

    Hmmm. Did you exit from Firefox and restart it between the tests? What OS?

    I am guessing (perhaps Chester can help me here...Chet?) that the "do you want to do this" may be Firefox's "click to play" functionality kicking in to warn you about the presence of a Java applet tag..

    If you say, "Yes, let it run," does it actually work and show you the relevant version number? Or do you then get the "it's disabled" text, as shown above (which was a screenshot from Firefox, admittedly on OS X with Apple's implementation of Java, which changes things a lot :-)

  6. Catch22 · 560 days ago

    I'm using Windows 7.

    I closed and re-opened FF while waiting for my comment to be approved, and it's still doing the same thing. The only difference is that the add-ons manager now displays the correct version of Java rather than the previous one - but it still states that it's disabled.

    (Well, it displays "Java Deployment Toolkit", whereas previously Java had two entries on the list: the toolkit and another entry, which I can't recall the exact wording of. I fail at computers.)

    If I say 'Yes, let it run', it does work and show me the correct version, yes. If I click 'cancel', I get 'Error. Click for details' in the box. Incidentally, before I got the patch, the 'it's disabled' text was the same as your Apple screenshot :-).

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog