Oracle Fixes 29 Bugs in Huge Java Update

Oracle has released a slew of patches for its Java platform, fixing a total of 29 bugs in Java SE and Java for Business. Several of the flaws allow a remote attacker to take complete control of a vulnerable machine.

Oracle has released a slew of patches for its Java platform, fixing a total of 29 bugs in Java SE and Java for Business. Several of the flaws allow a remote attacker to take complete control of a vulnerable machine.

Java is among the more widely deployed technologies on the Web and it is now a favored vector for attackers looking for a common and easy way into machines. It’s very difficult to browse the Web these days without having Java enabled in your browser, as millions of sites rely on the technology for portions of their functionality.

Among the 29 bugs that Oracle fixed in its quarterly Critical Patch Update for Java are 28 vulnerabilities that are remotely exploitable with no authentication, and more than half of them offer a low barrier to exploitation for attackers. Some of the bugs that Oracle patched Tuesday are issues raised by security researcher Sami Koivu, who earlier this year talked about a class of bugs in Java called “serialization” flaws.

“Several of the serialization issues
were addressed. It looks like they created a cute little mechanism for
preventing external calls to defaultReadObject/defaultWriteObject. And
the problem of repeated fields also seems to be addressed. The early
reference stuff can’t really be fixed, because it is a feature. And that
means you can still create an Integer object that has 0 as its value
and then later at an arbitrary moment changes it’s value to something
else,” Koivu wrote in a blog post on the Java update.

Because so many of the Java bugs are relatively easily exploitable, Oracle is urging customers to install the fixes immediately.

Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply the CPU fixes as soon as possible.
Until you apply the CPU fixes, it may be possible to reduce the risk of
successful attack by restricting network protocols required by an
attack. For attacks that require certain privileges or access to certain
packages, removing the privileges or the ability to access the packages
from unprivileged users may help reduce the risk of successful attack.
Both approaches may break application functionality, so Oracle strongly
recommends that customers test changes on non-production systems.
Neither approach should be considered a long-term solution as neither
corrects the underlying problem,” the company said in its advisory.

Suggested articles

Discussion

  • larryjava on

    Thanks, had to search harder than I expected to find out why there was always an icon bugging me to update java way too often. Guess Oracle doesn't have enough hackers in their employ. Try offering a reward to Russia (for example, of course) for anyone who can 'crack' a beta version. Maybe there's a larger reward to unlocking millions of computers.

  • Joanne Ungarsky on

    I keep finding messages like this when I am done playing pogo.

    A fatal error has been detected by the Java Runtime Environment:
    #
    #  EXCEPTION_ACCESS_VIOLATION (0xc0000005) at pc=0x0ae058b0, pid=3984, tid=4280
    #
    # JRE version: 6.0_26-b03
    # Java VM: Java HotSpot(TM) Client VM (20.1-b02 mixed mode, sharing windows-x86 )
    # Problematic frame:
    # C  0x0ae058b0
    #
    # If you would like to submit a bug report, please visit:
    #   http://java.sun.com/webapps/bugreport/crash.jsp
    # The crash happened outside the Java Virtual Machine in native code.
    # See problematic frame for where to report the bug.
    #

    ---------------  T H R E A D  ---------------

    Current thread (0x0491d400):  JavaThread "AWT-Windows" daemon [_thread_in_native, id=4280, stack(0x04cc0000,0x04d10000)]

    siginfo: ExceptionCode=0xc0000005, reading address 0x0ae058b0

    Registers:
    EAX=0x0b34ded8, EBX=0x00000001, ECX=0x08a02ec0, EDX=0x00000004
    ESP=0x04d0f7bc, EBP=0x04d0f7e8, ESI=0x0491d528, EDI=0x08a02ec0
    EIP=0x0ae058b0, EFLAGS=0x00010293

    Top of Stack: (sp=0x04d0f7bc)
    0x04d0f7bc:   6d09cb90 04d0f864 0000981a 00000000
    0x04d0f7cc:   04d0f864 04d0f91c 0491d528 04d0f7c0
    0x04d0f7dc:   04d0f87c 6d0c04a8 00000001 04d0f814
    0x04d0f7ec:   773dfd72 00070436 0000981a 08a02ec0
    0x04d0f7fc:   00000000 0000981a dcbaabcd 00000000
    0x04d0f80c:   04d0f864 0000981a 04d0f88c 773dfe4a
    0x04d0f81c:   6d09c650 00070436 0000981a 08a02ec0
    0x04d0f82c:   00000000 7b5e774f 04d0f924 04d0f91c

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.