Oracle has announced the release of a massive security patch for Java that addresses at least 51 identified security vulnerabilities. If you think this does not affect you, keep in mind that Oracle says 89 percent of desktops run Java in one form or another.
Oracle’s Security Patch
The updates in question include 50 vulnerabilities that can be exploited remotely, with 12 of them so severe that they could enable hackers to take control of operating systems (OS). In the advisory issued by Oracle, it urges those that have Java running on their devices to update as soon as possible. The advisory reads:
Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply, CPU fixes as soon as possible...This Critical Patch Update contains 127 new security fixes (including 51 Java fixes) across [a range] of product families."
This current patch, which is available for Windows, Mac OS X and Linux, is for Java 7 only, but Oracle has also released updates for Java 6 and Java 5. These, however, are only available to those on extended customer support contracts as Oracle has already ended support for them.
Problems With Java
So how important are these patches? According to Wolfgang Kandek, CTO of vulnerability management firm Qualys, the holes were serious with 12 of them achieving a perfect 10s in the Common Vulnerability Scoring System (CVSS) vulnerability table, where 10 represents the most dangerous threats of all.
However, the majority of the problem applied to desktops or laptops, with two other severe vulnerabilities associated with server installations.
Leaving that aside, from a user perspective, the problem with these vulnerabilities is that they left billions of devices vulnerable. In fact, according to Oracle, three billion devices worldwide run Java.
However, it is not always necessary to run Java. According to security blogger Brian Krebs - - remember he identified the Adobe security breach recently? - - many people have it running when they do not actually need to have at all:
If you really need and use Java for specific Web sites or applications, take a few minutes to update this software… Otherwise, seriously consider removing Java altogether...”
However, he warns against businesses doing this for business users as they may have legacy systems installed that need Java to function properly.
For the moment, though, the smart money is on installing the updates to protect your devices. If you want to download the patches, you can find them here.