Oracle releases patch for latest Java hole – update now!

The big – no, the vast! the enormous! – security news over the weekend has been CVE-2013-0422.

That’s the recent Java security hole that lets Java applets in your browser escape from Java’s security strictures.

That means a Java applet (which is usually very limited in the sort of changes it can make to your PC) can infect your PC with malware without so much as a pop-up or an are-you-sure.

This vulnerability became a huge problem in short order because it was quickly included in exploit packs such as Cool EK and Nuclear Pack. Exploit packs are pre-packaged crimeware-as-a-service tools you can rent in order to have your malware distributed for you.

So here’s some good news: Oracle has been on the ball and has already come out with a patch. Java 7 Update 11 fixes both CVE-2013-0422 and a second vulnerability.

Oracle’s offical repository for the latest version is the Java Downloads for All Operating Systems page.

In the database behemoth’s own words:

Due to the severity of these vulnerabilities, the public disclosure of technical details and the reported exploitation of CVE-2013-0422 "in the wild," Oracle strongly recommends that customers apply the updates provided by this Security Alert as soon as possible.

This update also changes the default Java Security Level setting from Medium to High.

As Oracle explains, at the High setting, you are “always prompted before any unsigned Java applet or Java Web Start application is run.”

There’s not an enormous amount to say about the patch beyond that. Fix early, fix often!

Note that the vulnerabilities Oracle just patched don’t apply to standalone Java applications or server-side Java installs. They apply only to applets, which run inside your browser.

Your browser routinely and unavoidably puts you in harm’s way, since it inevitably downloads and attempts to parse, process and display, untrusted content.

So, even after updating, I recommend that you turn Java off inside your browser unless you know you need it.

If there are only one or two specific sites for which you need Java, it can be a pain to keep remembering to turn it on, and it’s easy to forget to turn it off again afterwards.

In such cases, you may want to consider running two browsers, one with Java enabled and one without.

Of course, if you do this, you need to keep both browsers patched – even (or perhaps especially, since it’s the one with Java turned on) the one you only use infrequently.

By the way, if you do turn Java off in your browser, or think you did, it’s worth checking.

A handy place to do so is, a web page that attempts to launch a tiny applet to get the answer “from the horse’s mouth”, as it puts it.

If you have Java turned off, it will confirm this for you.

If you have Java turned on, it will confirmation the precise version number from the Java Runtime Environment (JRE) itself. This means you can be sure you’re running the version you expect.

And now? Stop reading, start patching!