Get ready! Oracle to fix 40 holes in Java on Tuesday, 18 June 2013

Oracle’s official patch frequency for Java is rather unusual: once every four months.

There’s no succinct adjective for that, as there is for monthly or quarterly updates: the easiest way to work out Oracle’s official dates is simply to remember, “Around the middle of February, June and October.”

→ Oracle increasingly frequently issues security patches between regular updates, so those aren’t the only fixes you’ll need each year. But they’re the ones that are going to come out no matter what, so you may as well diarise them.

There’s definitely an update coming next Tuesday, 18 June 2013, and you might as well get ready for it now if you haven’t already.

The details of what will be fixed aren’t a matter of public record yet, so we can’t spell them out for you in detail.

Nevertheless, Oracle has published a very brief pre-announcement to remind us of the importance of this month’s fixes.

(Yes! I know! It’s a misnomer – what is a “pre-announcement” if not merely an “announcement” – but don’t shoot the messenger!)

The good news is that lots of security vulnerabilities have been repaired – 40 in total, of which all but three are RCEs, or remote code execution holes.

That’s where untrusted content sent over the network might be able to trick Java into performing operations that really ought to be limited to already-installed, trusted code.

In short, an RCE means that you could get infected by malware simply by looking around online, without explicitly downloading, authorising or even noticing the malware being installed.

There are two handy ways to reduce this RCE risk:

  • Apply Oracle’s patches as soon as practicable. You can turn on fully-automatic updating if you like.
  • Turn off Java in your browser, so that web-based Java applets can’t run at all.

In the future, Oracle expects to switch Java onto a quarterly update cycle, keeping it aligned with other Oracle products.

For the time being, just keep your eyes open on Tuesday 18 June 2013, or engage auto-updating before then: this update sounds important.

We’ll spell out the detail of what’s changed once Oracle’s updates have gone public.

Sophos vulnerability assessments can be found on the official SophosLabs Vulnerabilties page.