Oracle fixes 42 holes in Java to revive security confidence

SAN FRANCISCO Tue Apr 16, 2013 5:34pm EDT

An Oracle Corporation logo is seen on stage prior to the announcement of the company's latest SPARC servers at Oracle Conference Center in Redwood Shores, California March 26, 2013. REUTERS/Stephen Lam

An Oracle Corporation logo is seen on stage prior to the announcement of the company's latest SPARC servers at Oracle Conference Center in Redwood Shores, California March 26, 2013.

Credit: Reuters/Stephen Lam

SAN FRANCISCO (Reuters) - Oracle Corp released a major security update on Tuesday for the version of Java programming language that runs inside Web browsers to make it a less popular target for hackers.

The patch fixes 42 vulnerabilities within Java, including "the vast majority" of those that have been rated as the most critical, said Oracle Executive Vice President Hasan Rizvi.

A series of big security flaws in the Java plug-in for browsers have been uncovered in the past year by researchers and hackers, and some have been used by criminal groups before previous patches were issued.

One widespread hacking campaign disclosed this year infected computers using Microsoft Corp's Windows and Apple software inside hundreds of companies, including Facebook, Apple Inc and Twitter.

The situation grew so bad earlier this year that the U.S. Department of Homeland Security recommended that computer users disable Java in the browser. But many large companies use internal software that relies on Java and have been pressing Oracle to make the language safer.

Perhaps the most significant change will be that, in the default setting, sites will not be able to force the small programs known as Java applets to run in the browser unless they have been digitally signed. Users can override that only if they click to acknowledge the risk, Rizvi said.

Not all known problems are being fixed with the current patch, but there are no unpatched problems that are being actively exploited, Rizvi said.

Primarily a database software and applications company, Oracle inherited Java when it bought Sun Microsystems in 2010. It is the company's greatest exposure to the mass market, as versions of Java run on desktops, in telephones and other devices and on servers.

The browser version, however, has been especially prone to security problems.

Last year, Java surpassed Adobe Systems Inc's Reader software as the most frequently attacked piece of software, according to security software maker Kaspersky Lab.

Java was the vehicle for 50 percent of all cyber attacks last year in which hackers broke into computers by exploiting software bugs, according to Kaspersky. That was followed by Adobe Reader, which was involved in 28 percent of all incidents. Microsoft Windows and Internet Explorer were involved in about 3 percent of incidents, according to the survey.

Although no high-profile Oracle customers have publicly threatened to desert the company over security issues, Rizvi acknowledge widespread concern.

"It was pretty embarrassing what happened with the Facebook attacks," said IDC analyst Al Hilwa.

"It's a fight for the Java plug-in's life. Either a lot of companies are going to turn these off, or they are going to have their confidence restored."

(Reporting by Joseph Menn. Editing by Andre Grenon)

FILED UNDER:
We welcome comments that advance the story through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can flag it to our editors by using the report abuse links. Views expressed in the comments do not represent those of Reuters. For more information on our comment policy, see http://blogs.reuters.com/fulldisclosure/2010/09/27/toward-a-more-thoughtful-conversation-on-stories/
Comments (1)
unionwv wrote:
My internet bank provides an applications which used to be very useful to me but, when the bank revised its site, it switched the application to Java-enabled.

Fine for them, but it introduces a real risk for its customer’s computers, so I can’t use that service anymore.

Apr 16, 2013 7:14pm EDT  --  Report as abuse
This discussion is now closed. We welcome comments on our articles for a limited period after their publication.