Get ready! Oracle to fix 40 holes in Java on Tuesday, 18 June 2013

Filed Under: Featured, Java, Oracle, Vulnerability

Oracle's official patch frequency for Java is rather unusual: once every four months.

There's no succinct adjective for that, as there is for monthly or quarterly updates: the easiest way to work out Oracle's official dates is simply to remember, "Around the middle of February, June and October."

→ Oracle increasingly frequently issues security patches between regular updates, so those aren't the only fixes you'll need each year. But they're the ones that are going to come out no matter what, so you may as well diarise them.

There's definitely an update coming next Tuesday, 18 June 2013, and you might as well get ready for it now if you haven't already.

The details of what will be fixed aren't a matter of public record yet, so we can't spell them out for you in detail.

Nevertheless, Oracle has published a very brief pre-announcement to remind us of the importance of this month's fixes.

(Yes! I know! It's a misnomer - what is a "pre-announcement" if not merely an "announcement" - but don't shoot the messenger!)

The good news is that lots of security vulnerabilities have been repaired - 40 in total, of which all but three are RCEs, or remote code execution holes.

That's where untrusted content sent over the network might be able to trick Java into performing operations that really ought to be limited to already-installed, trusted code.

In short, an RCE means that you could get infected by malware simply by looking around online, without explicitly downloading, authorising or even noticing the malware being installed.

There are two handy ways to reduce this RCE risk:

  • Apply Oracle's patches as soon as practicable. You can turn on fully-automatic updating if you like.
  • Turn off Java in your browser, so that web-based Java applets can't run at all.

In the future, Oracle expects to switch Java onto a quarterly update cycle, keeping it aligned with other Oracle products.

For the time being, just keep your eyes open on Tuesday 18 June 2013, or engage auto-updating before then: this update sounds important.

We'll spell out the detail of what's changed once Oracle's updates have gone public.

Sophos vulnerability assessments can be found on the official SophosLabs Vulnerabilties page.

, , , , , ,

You might like

14 Responses to Get ready! Oracle to fix 40 holes in Java on Tuesday, 18 June 2013

  1. Gary · 308 days ago

    You recommend turning JAVA off. I have and I am unable to watch YouTube videos. I do have issues with the JAVA. My computer freezes up occasionally, I've narrowed it down to JAVA as the cause. Any suggestions?

    • Paul Ducklin · 308 days ago

      That doesn't sound right. YouTube videos don't rely on Java. They rely on Adobe Flash or JavaScript. Turning off Java seems unlikely to have anything to do with your video problem...

      You didn't perhaps turn off JavaScript rather than Java?
      http://nakedsecurity.sophos.com/2013/01/16/java-i...

      • Gary · 308 days ago

        You were right. I did kill JavaScript, not Java. It's off now. Thank you.

  2. Trent · 308 days ago

    I ditched Java quite some time ago due to all the risks. Recently I had an opportunity to download two seperate programs that were free for a day, after starting the install, I noticed they required Java so I stopped the install. It's time programmers find another way around the use of Java.

    • 2072 · 307 days ago

      The dangerous part in Java is the browser plugin, a part that you can disable easily. If so many holes are discovered in JAVA it's simply because it's one of the most interesting thing to attack for hackers at the moment...

  3. Steve · 307 days ago

    Uh, shouldn't the fact that there's 37 RCE's be highlighted in bold?

    That seems like an awful lot- maybe I just haven't been paying attention to the counts from previous patch cycles?

  4. Gavin · 307 days ago

    "There's no succinct adjective for that..."

    The best I could come up with was "triannually." Not very pithy though I grant you. :)

    • Paul Ducklin · 307 days ago

      I usually avoid adjectives of that form - do you mean three times a year, or once every three years?

      I guess "three times a year" is clear enough. "Every four months" would do. And, as I said, it's easy enough just to say "Feb, June and Oct" to make it superclear :-)

  5. cav · 307 days ago

    A single application requiring 40 fixes. Where are the snide remarks? Or are they just reserved for Microsoft which updates far more than just an app.

    • Paul Ducklin · 304 days ago

      Where are the snide remarks aimed at Microsoft?

      Have I made any lately? (That's not meant as a rhetorical question, though I hope it ends up being one.)

      And if we are scrupulously fair, Java is more than "just an app", and the updates apply to more than just the Java runtime. I'm not offering that as an excuse or an explanation, just as a fact. There's the runtime, the compiler, a raft of supporting tools - after all, Java is meant to be a "cross-platform platform."

      Just saying.

  6. Kaipo · 307 days ago

    I don't have anything to add to the conversation other than this humorous Javapocalypse trailer: http://youtu.be/E3418SeWZfQ

  7. Edge · 306 days ago

    WORTHY OF NOTE: This release is the first one where Java 6 is no longer public. You can't download the latest, patched Java 6 without a subscription. Only Java 7. If you are stuck supporting an app in an enterprise environment that still only works with Java 6... Oracle now wants you to pay up or live with the vulnerabilities.

    • Kaipo · 305 days ago

      I believe that you just need to register for a FREE account on Oracle's website; I was able to download JRE 6 U45 without having to pay for anything.

      • Edge · 302 days ago

        Java 6 U45 was public. Java 6 U51 (the one JUST released) is not. Your information is based upon the previous update, not the current one. :)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog