“Yet another Java update” seems to be a trending topic among the security professionals. While it is not surprising that more Java zero days have continued to pop up, it is a little surprising that Oracle went beyond their February 2013 deadline and pushed out a new update for Java version 6.
Java 6 has been updated to version 6u43. It is labeled as the last publicly available JDK 6 update. You can download Java 6u43 here: http://java.com/en/download/manual_v6.jsp
This release is the last of publicly available JDK 6 Updates. Oracle recommends that users migrate to JDK 7 in order to continue receiving public updates and security enhancements. All JDK 6 releases up to and including 6u43 will be moved to Java Archive, where they will remain available but will not receive updates. For users who require continued access to JDK 6 updates, long term support is available through the Java SE Support program.
You can view the Java 6u43 release notes for more details.
Java 7 was updated to version 7u17. You can view the Java 7u17 release notes for more details. You can download the latest Java 7 here: http://java.com/en/download/manual.jsp
The update contains security vulnerability fixes for CVE-2013-1493. The Oracle Security Alert for CVE-2013-1493 details the now-patched vulnerability as a known exploitation “in the wild”. Notification of the vulnerability came too late to be included in the February 19th update and the zero day exploit caused the patch to be pushed forward from the next scheduled update of April 16th, according to Oracle’s security blog. The exploit was used to download the McRAT remote access Trojan to a victim’s computer that visits a compromised website.
Unfortunately, additional vulnerabilities were disclosed yesterday which the researcher says the latest update does not address. Expect another update to address those vulnerabilities as the discussion gets elevated in the media. This should be further proof that Java should be uninstalled unless needed for improved end-point security.
