Oracle Releases Patch for VENOM Vulnerability

Oracle has released a fix for a critical overflow vulnerability known as VENOM. The problem lies in QEMU’s virtual Floppy Disk Controller, which is part of some virtualization platforms and is used in certain Oracle products. Due to the severity of this vulnerability, Oracle strongly recommends that customers apply the updates provided by the Security Alert as soon as possible.

Read the Oracle Security Alert

Adobe and Oracle Release Critical Updates

Adobe released a fix for a zero-day bug in Adobe Flash Player for Windows and Mac. Users should update to Adobe Flash Player 17.0.0.169. If you are unsure whether your browser has Flash installed or what version it may be running, go to Adobe’s Flash Player page. Internet Explorer on Windows 8 and Chrome should automatically update.

Oracle’s quarterly critical patch update plugs 15 security holes in Java 8. If you have Java installed and use it for specific websites or applications, update as soon as possible. Windows users can check for the program in the Add/Remove Programs listing or visit Java.com and click the “Do I have Java?” link on the home page. Note that Oracle will be ending support for Java 7 after this update of Java 8 (Update 45).

Read the full story at Krebs on Security.

Oracle Critical Patch Updates for July

This month’s Oracle Patch Update provides 113 new security fixes across a wide range of product families including: Oracle Database, Oracle Fusion Middleware, Oracle Hyperion, Oracle Enterprise Manager Grid Control, Oracle E-Business Suite, Oracle PeopleSoft Enterprise, Oracle Siebel CRM, Oracle Industry Applications, Oracle Java SE, Oracle Linux and Virtualization, Oracle MySQL, and Oracle and Sun Systems Products Suite.

As a reminder, Critical Patch Update fixes are intended to address significant security vulnerabilities in Oracle products and also include code fixes that are prerequisites for the security fixes. As a result, Oracle recommends that this Critical Patch Update be applied as soon as possible by customers using the affected products.

Oracle and Adobe’s First Critical Patches of 2014

Adobe-LogoOracle and Adobe will release critical patches along side Microsoft on Patch Tuesday. Expected updates:

Oracle Updates Java

Oracle has released a critical patch update for Java Standard Edition (SE). Oracle recommends that customers apply the fixes as soon as possible. Release Java SE 7u21 includes 42 new and important security fixes.

Oracle has two products that implement Java SE: Java SE Development Kit (JDK) 7 and Java SE Runtime Environment (JRE) 7. JDK 7 is a superset of JRE 7 and contains everything that is in JRE 7, plus tools such as the compilers and debuggers necessary for developing applets and applications.

Users running Java SE with a browser can download the latest release here. Users on the Windows and Mac OS X platforms can also use automatic updates to get the latest release.

Java 8 may be delayed while Oracle works out these issues with Java 7. The release group’s focus suggests they will be releasing a stable, polished version of Java 8. The scheduled date for Java 8 is June 18, 2013.

In related Java news, Apple’s most recent update for Safari includes functionality that allows users to decide whether to enable the Java plug-in on a site-by-site basis. The new feature is available for the latest versions of Safari 5 and 6. Apple has also released an update for the Java browser plug-in that addresses 21 vulnerabilities in the browser and in Java.

Java 7 Still Vulnerable

Researchers have found two new Java zero-day vulnerabilities. Browsers running Java 1.6 update 41 and Java 1.7 update 15 are now vulnerable to malware attack that installs a remote access tool called McRAT.

Apple released an update to Java following an earlier attack. The vulnerability exists only in the browser plug-in for Java, not in applications that use Java Runtime.

The recommendation is for users to disable Java in the browser until Oracle addresses the issue. If you have a Java plug-in in your browser, you can learn how to disable it here.

Read the full story online.

UPDATE: 3/4/2013 Apple and Oracle have released Java updates for 10.6, and Java updates for 10.7 and 10.8, to address security vulnerabilities. Previous versions are blocked by Apple XProtect.

About Java and its Risks

Last week a vulnerability in Oracle’s Java 7 Update 10 and earlier was detected. Apple subsequently addressed the issue through the anti-malware system built into OS X, disabling Java 7 plug-ins on Macs where it is already installed.

Oracle has now released Java 7 Update 11 to address the vulnerability. Users of Java can access the free update here.

What is Java and its risks?

This Java issue brings up possible questions in people’s minds. What is Java and why do I need it? Java is a programming language and computing platform first released by Sun Microsystems in 1995. It is the underlying technology that powers programs including utilities, games, and business applications. To learn more about Java and to answer some of these questions, see the Oracle website or the PDF of this month’s issue of OUCH! from SANS.org, dedicated entirely to Java.

Java has become a popular target for cyber criminals and they will use weaknesses in Java to attack computers that have it installed.

What do I do now?

You may have a plug-in for Java running in your browser. This was my experience with Java:

Within my Firefox browser I had a plug-in installed for Java Applet 14.5.0. I clicked the option “Check to see if your plug-ins are up to date” and was told by Mozilla that my Java Applet Plug-in is outdated. Clicking “Update” linked me to Oracle where the latest update is available. Instructions followed for how to update Java on my Mac. After I ran the installation, the plug-in in Firefox changed from Applet 14.5.0 to Java 7 Update 11.

Note that experiences will vary depending on the browser you have installed (Safari, Firefox, and Chrome address plug-ins differently from one another) and its version.

If you are unsure about whether you need to update Java, you can use this link. If no message appears about the status of Java on your system, you can do what I did and see if you have a plug-in for Java in your browser (these will reside in what might be called “add-ons”). Then follow the steps above to update it. If you don’t have Java installed on your system, you can access it from Oracle here.

If you can do without Java, don’t install it or go ahead and disable Java. If you can’t do without it, the best thing to do is to make sure it is current. Windows users can do this by checking the Java icon in the Control Panel and confirming it is the latest version and is set for automatic updating. Mac users will need to update their version of Java themselves by going to the Oracle website.