Adobe and Oracle Release Critical Updates

Adobe released a fix for a zero-day bug in Adobe Flash Player for Windows and Mac. Users should update to Adobe Flash Player 17.0.0.169. If you are unsure whether your browser has Flash installed or what version it may be running, go to Adobe’s Flash Player page. Internet Explorer on Windows 8 and Chrome should automatically update.

Oracle’s quarterly critical patch update plugs 15 security holes in Java 8. If you have Java installed and use it for specific websites or applications, update as soon as possible. Windows users can check for the program in the Add/Remove Programs listing or visit Java.com and click the “Do I have Java?” link on the home page. Note that Oracle will be ending support for Java 7 after this update of Java 8 (Update 45).

Read the full story at Krebs on Security.

Oracle Critical Patch Updates for July

This month’s Oracle Patch Update provides 113 new security fixes across a wide range of product families including: Oracle Database, Oracle Fusion Middleware, Oracle Hyperion, Oracle Enterprise Manager Grid Control, Oracle E-Business Suite, Oracle PeopleSoft Enterprise, Oracle Siebel CRM, Oracle Industry Applications, Oracle Java SE, Oracle Linux and Virtualization, Oracle MySQL, and Oracle and Sun Systems Products Suite.

As a reminder, Critical Patch Update fixes are intended to address significant security vulnerabilities in Oracle products and also include code fixes that are prerequisites for the security fixes. As a result, Oracle recommends that this Critical Patch Update be applied as soon as possible by customers using the affected products.

Oracle and Adobe’s First Critical Patches of 2014

Adobe-LogoOracle and Adobe will release critical patches along side Microsoft on Patch Tuesday. Expected updates:

Why Patch a Mac?

Apple-LogoAccording to ZD Net, this has been a fairly busy security update season for Mac users. In fact, they say, Mac users have a lot more work involved to keep their systems safe.

There have been patches for the operating systems, for Safari for Mac, for Java and Adobe vulnerabilities, quite a long list compared to previous years.

There really are attacks out there against Macs which exploit vulnerabilities, so accepting and installing these patches is important.

Read the story online.

Oracle Security Patches Released

Last week Oracle released its security update for June 2013, which comprises 40 security updates, with 37 of them addressing vulnerabilities that lead to malware execution. Among the updates is one that fixes a vulnerability found in Javadoc.

Javadoc is a tool that generates frames for online documentation web apps. However, there is a vulnerability in how Javadoc interprets user supplied frames, leaving it vulnerable to frame injection when hosted on a web server. By using the vulnerable variation, and put into a webpage, a user clicking into the frame will be going to a malicious redirection.

The other updates address vulnerabilities in:

  • JDK and JRE 7, 6 and 5.0
  • JavaFX 2.2.21 and earlier

NOTE TO MIT USERS: Before installing Java updates to a computer in the MIT environment, please review this article: Which Java version should I install?

Oracle Updates Java

Oracle has released a critical patch update for Java Standard Edition (SE). Oracle recommends that customers apply the fixes as soon as possible. Release Java SE 7u21 includes 42 new and important security fixes.

Oracle has two products that implement Java SE: Java SE Development Kit (JDK) 7 and Java SE Runtime Environment (JRE) 7. JDK 7 is a superset of JRE 7 and contains everything that is in JRE 7, plus tools such as the compilers and debuggers necessary for developing applets and applications.

Users running Java SE with a browser can download the latest release here. Users on the Windows and Mac OS X platforms can also use automatic updates to get the latest release.

Java 8 may be delayed while Oracle works out these issues with Java 7. The release group’s focus suggests they will be releasing a stable, polished version of Java 8. The scheduled date for Java 8 is June 18, 2013.

In related Java news, Apple’s most recent update for Safari includes functionality that allows users to decide whether to enable the Java plug-in on a site-by-site basis. The new feature is available for the latest versions of Safari 5 and 6. Apple has also released an update for the Java browser plug-in that addresses 21 vulnerabilities in the browser and in Java.

Java 7 Still Vulnerable

Researchers have found two new Java zero-day vulnerabilities. Browsers running Java 1.6 update 41 and Java 1.7 update 15 are now vulnerable to malware attack that installs a remote access tool called McRAT.

Apple released an update to Java following an earlier attack. The vulnerability exists only in the browser plug-in for Java, not in applications that use Java Runtime.

The recommendation is for users to disable Java in the browser until Oracle addresses the issue. If you have a Java plug-in in your browser, you can learn how to disable it here.

Read the full story online.

UPDATE: 3/4/2013 Apple and Oracle have released Java updates for 10.6, and Java updates for 10.7 and 10.8, to address security vulnerabilities. Previous versions are blocked by Apple XProtect.