It’s time for another Java update — and it’s a relatively big one. Oracle is releasing fixes for 42 security bugs in its highly vulnerable Java programming language today. Thirty-nine of those bugs enable hackers to hit you with attacks you may never detect.
For security professionals, Java has been the gift that keeps on giving — if the gift was a stomach virus. Despite repeated updates to the programming language, cyber-criminals continue to find new ways to exploit it. They’ve hit hundreds of thousands of nameless individuals to big-time companies such as Apple, Microsoft, and Facebook with their variety of attacks.
Oracle announced the update in an announcement yesterday, saying the patch is slated for today. The company specifically states that the 39 called-out bugs “may be exploited over a network without the need for a username and password.”
New dialog boxes for the Java browser plugin are also being released. These are warning windows that pop up whenever Java is trying to run. The type of warning you receive is based on the quality of the digital certificate of that app.
Low-risk warnings will appear if the certificate can be identified and has been signed by a certificate authority, or if the identified certificate has extra information. For these you will see either the Java logo, publisher’s logo, or a blue shield. You’ll be able to hide future warnings for publishers who provide these credentials.
High-risk apps, however, will show you a yellow warning triangle for those apps that have an untrusted or expired certificate. A yellow shield is displayed for unsigned or invalid certificates. For these apps you will have to both check a box that says, “I accept the risk and want to runt his app” and then click “run.” Or you can immediately click cancel.
As we’ve seen with the last rounds of Java updates, however, there are more untapped vulnerabilities to be found. Consider keeping Java off (and if you haven’t turned it off yet, you should do so) and waiting to see if anything is uncovered in the weeks following the release.
hat tip Ars Technica; Oracle image via Peter Kaminski/Flickr, Unsigned cert dialogue box image via Oracle