Oracle patching 40 vulnerabilities in Java today, 37 critical
Ravi Mandalia | On 18, Jun 2013
Oracle has revealed that it is going to fix a total of 40 vulnerabilities in Java SE today out of which 37 can be exploited remotely without the need of a username and password.
Oracle published this information in a pre-announcement and the fixes will be released as a part of its critical patch update (CPU) later today. The update is meant for all version of Java that are currently being supported either publicly or contractually – JDK and JRE 7 Update 21 and earlier, JDK and JRE 6 Update 45 and earlier and JDK and JRE 5.0 Update 45 and earlier. The CPU also includes fixes for JavaFX 2.2.21 and earlier.
Oracle has advised that the updates be applied as soon as possible after they are released to mitigate the risks arising out of unpatched vulnerabilities. “Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Critical Patch Update fixes as soon as possible.” notes Oracle.
In general if users are too concerned about the barrage of vulnerabilities reported recently and are not in a position to update Java within their infrastructure, they should disable the Java plugin in their browsers as they are the most common attack vector used to exploit these vulnerabilities. Users can refer to the guides provided by their browser vendors to disable the plugins.