X

Oracle pushes out new Java update to patch security holes

Released Friday, the latest critical patch update contains fixes for 50 different security flaws.

Lance Whitney Contributing Writer
Lance Whitney is a freelance technology writer and trainer and a former IT professional. He's written for Time, CNET, PCMag, and several other publications. He's the author of two tech books--one on Windows and another on LinkedIn.
See full bio
Lance Whitney
2 min read
Screenshot by Lance Whitney/CNET

Oracle has rushed out a new Java security patch designed to plug up a range of holes in the software.

The February Critical Patch Update for Java SE addresses 50 security vulnerabilities, 44 of which affect the use of Java as a plug-in for Web browers, according to an Oracle blog posted Friday. If not properly patched, the plug-in could open the door for attackers to remotely execute code on a PC or Mac by directing users to malicious Web sites.

"The popularity of the Java Runtime Environment in desktop browsers, and the fact that Java in browsers is OS-independent, makes Java an attractive target for malicious hackers," Eric Maurice, director for Oracle's Software Security Assurance, said in the blog.

Security experts have warned about holes in the Java plug-in, with some going so far as to suggest that users uninstall or disable Java until its security can be tightened.

Oracle had issued an emergency security update on January 13. But that update left some flaws still unpatched, prompting Homeland Security to recommend that users still disable Java.

Friday's fix was originally scheduled for release on February 19. But Oracle said it decided to ramp up the schedule after finding that one of the flaws affecting the Java Runtime Environment was actively being exploited. The new update addresses that specific flaw and includes all of the fixes from January's update.

"Oracle felt that, releasing this Critical Patch Update two weeks ahead of our intended schedule, instead of releasing a one-off fix through a Security Alert, would be more effective in helping preserve the security posture of Java customers," Maurice noted.

Related stories

Oracle has also been criticized in the past for not keeping Java properly protected or updated to guard against security exploits. The company gained custody of Java after it acquired Sun Microsystems in 2009.

Users already running Java should receive a notice that an update is available.

The latest version can also be manually installed or updated from Oracle's Java product page. Java users can ensure that the latest version is active through Oracle's Java verification page. An FAQ on Java and its use is available online as well.