Oracle, beset by pressures to mitigate holes in Java 7 Update 13 that have been abused by hackers, expedited a patch set scheduled for later this month and released a whopping 50 fixes to licensees on Feb. 1.
A critical Java update was originally scheduled for Feb. 19, but because at least one of the vulnerabilities is being actively exploited and causing problems, Oracle decided to move up the patch update.
Oracle said 44 of 50 vulnerabilities only affect Java in browsers, which means they can only be exploited on desktops through Java Web Start applications or Java applets.
“The popularity of the Java Runtime Environment in desktop browsers, and the fact that Java in browsers is OS-independent, makes Java an attractive target for malicious hackers,” Oracle Global Technology Business Unit manager Eric Maurice said.
Oracle said that in releasing a Critical Patch Update two weeks ahead of the intended schedule — instead of releasing a one-off fix through a Security Alert — would be more effective in helping preserve system security.
The Oracle update came one day after Apple blocked Java 7’s latest update from running on OS X. Apple Insider reported that in January that a zero-day flaw in the Java Runtime Environment was being exploited by nefarious websites and was so serious that the U.S. Department of Homeland Security warned users to disable the web plugin.
In response, Apple disabled Java 7 through the OS X anti-malware system, requiring users to have at least version “1.7.0_10-b19” installed on their Macs. The release carries the designation “1.7.0_13-b20,” meeting Apple’s requirements.
The last publicly available release of Java 6 is set to be released on Feb. 19. After that date all new security updates, patches, and fixes for both the runtime and SDK of Java SE 6 will only be available through My Oracle Support, and will therefore only be available to users with a commercial license with Oracle.