Four of the fixes concern client deployment of Java, and can be exploited through Java Web Start applications on desktops and Java applets in internet browsers. The fifth concerns the Java Secure Socket Extension (JSSE) vulnerability commonly known as ‘Lucky Thirteen’. “Due to the severity of the vulnerabilities fixed in this Critical Patch Update,” says Oracle, “Oracle recommends that these fixes be applied as soon as possible.”
Oracle has been much criticized for its lengthy Java update cycle. Yesterday it announced it would improve things. “Finally,” concluded the official Oracle security blog, “note that Oracle’s intent is to continue to accelerate the release of Java fixes, particularly to help address the security worthiness of the Java Runtime Environment (JRE) in desktop browsers.” The next scheduled critical update for Java SE will now be on April 16; and while this is a definite improvement it will still not satisfy Java critics. It should be noted, however, that the reason for this current update is because Oracle issued out-of-band fixes earlier this month to address vulnerabilities that were being exploited in the wild. If it continues to fix active exploits as soon as they become known, it should help Java’s reputation.
That reputation is not good. Imperva points to the dramatic rise in reported vulnerabilities, where so far this year Java accounts for more than 10% of all reported vulnerabilities (up from around 3% last year, and less than 5% in 2011).
“If it was possible,” Tal Be'ery, web research team leader at Imperva told Infosecurity, “we would have advise administrators to disable Java on all browsers – but generally speaking, having IT administratively disable ANY software component on ‘all user machines’ is nearly impossible, especially on today’s Bring You Own Device (BYOD) IT environment. The current case of disabling Java components is no different.” Nevertheless, he added, “individual users should turn off Java 7 browser plug-ins and only enable them specifically to trusted sites.”