Oracle fixes zero-day Java flaw and over 190 other vulnerabilities

Users should update Java as soon as possible because attackers are already taking advantage of at least one vulnerability

Illustration of security online

Illustration of security online

Go ahead and update Java -- or disable it if you don't remember the last time you actually used it on the Web: Oracle's latest patch, released Tuesday, fixes 25 vulnerabilities in the aging platform, including one that's already being exploited in attacks.

In addition to Java, Oracle also updated a wide range of other products, fixing a total of 193 vulnerabilities, 44 stemming from third-party components.

The patched products include Oracle Database, Oracle Fusion Middleware, Oracle Hyperion, Oracle Enterprise Manager, Oracle E-Business Suite, Oracle Supply Chain Suite, Oracle PeopleSoft Enterprise, Oracle Siebel CRM, Oracle Communications Applications, Oracle Java SE, Oracle Sun Systems Products Suite, Oracle Linux and Virtualization, and Oracle MySQL.

Oracle released Java 8 Update 51, Java 7 Update 85 and Java 6 Update 101. However, only the Java 8 update is publicly available, because general support for Java 7 and Java 6 ended some time ago. Only customers with extended support contracts continue to get access to security patches for those versions.

Out of the 25 vulnerabilities fixed in Java, 23 can be exploited remotely without authentication. Sixteen flaws affect only the client deployment and five affect both client and server deployments.

One fix is specific to the Mac platform and four fixes are for the Java Secure Socket Extension (JSSE), said Eric Maurice, director of software security assurance at Oracle, in a blog post.

The most high-risk vulnerability fixed in this Java update is known as CVE-2015-2590 and had zero-day status until this update. This means attackers were already exploiting it while no fix was available.

An exploit for this vulnerability was recently uncovered by researchers from Trend Micro in attacks that targeted at the very least the armed forces of an unnamed NATO country and a U.S. defense organization.

The attacks were launched by a cyberespionage group known as Pawn Storm or APT28 that is believed to have ties to Russia's intelligence services. The group has been active since 2007 and typically targets military, government and media organizations.

While Java is still widely used for Web-based applications in business environments, it's rarely seen on consumer-oriented websites today. Therefore, many users don't need the Java browser plug-in, which is the target of the majority of Java exploits.

Manually removing or disabling Java from every browser installed on a computer is possible, but the plug-in might get re-enabled with the next Java update. And uninstalling the Java runtime completely from the system is often not viable, because there are still popular desktop applications that need it.

Fortunately, Oracle added an option in the Java control panel that serves as a central place to disable support for Java-based content across all browsers.

For companies that do need Java support on the Web, defending against zero-day exploits can be a bit more complicated. However, there are options to significantly reduce the likelihood of attacks.

Internet Explorer has a feature that administrators can use to restrict which websites are allowed to load Java content, like only those hosting relevant business applications. And browsers like Mozilla Firefox and Google Chrome have a click-to-play option that can be used to prevent the automatic execution of Web-based Java content.

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags patchesintrusiononline safetytrend microsecuritypatch managementExploits / vulnerabilitiesOracle

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Most Popular Reviews

Latest News Articles


GGG Evaluation Team

Kathy Cassidy


First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni


For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell


The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi


The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott


My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?