Tuesday, March 5, 2013

Oracle Releases Emergency Java 7 Update 17

Oracle announced the release of Java 7 Update 17 on March 4, 2013.  This update from Oracle is an unscheduled, emergency release to address two vulnerabilities,  CVE-2013-1493 and another vulnerability, that affect Java in web browsers (Java Web Start applications and Java applets).  In Oracle's Security Alert, they state:

"Due to the severity of these vulnerabilities, and the reported exploitation of CVE-2013-1493 "in the wild," Oracle strongly recommends that customers apply the updates provided by this Security Alert as soon as possible."

For information about updating your system's Java installation, please see "How can I be certain my Java version is current?"

The release comes only hours after security research firm, Security Explorations, sent Oracle a vulnerability notification and proof of concept code for five additional Java flaws it discovered (Security Exploration had notified Oracle of two previous flaws in February).

Oracle explains their rationale for releasing this update outside of their regular Critical Patch Update cycle in a Security Assurance Blog post: 
"The company intended to include a fix for CVE-2013-1493 in the April 16, 2013 Critical Patch Update for Java SE (note that Oracle recently announced its intent to have an additional Java SE security release on this date in addition to those previously scheduled in June and October of 2013).  However, in light of the reports of active exploitation of CVE-2013-1493, and in order to help maintain the security posture of all Java SE users, Oracle decided to release a fix for this vulnerability and another closely related bug as soon as possible through this Security Alert."
We recommend that you update your system's Java version immediately.

1 comment: