Oracle has fixed the Java zero-day exploit

After the huge media impact that followed up the full disclosure of the vulnerability in Java 7 Update 10, many national and international organizations have started to recommend to their readers to uninstall Java (Germany’s BSI, US-Cert). Oracle couldn’t just stand and see how their market share is disappearing and has started over the weekend to work an a fix which now is open for the masses.

Please patch the Java installation with the latest version, Java version 7 Update 11.

This release contains fixes for the well-known security vulnerability we’ve already written about. Oracle has also wrote about it: Oracle Security Alert for CVE-2013-0422.

Among the fixes, we see other three issues fixed:

  • Default Security Level Setting Changed to High
  • The Java Control Panel Doesn’t Show Security Level Slider
  • Problems with Registration of Plugin on Systems with Stand-alone Version of JavaFX Installed

I am not sure right now if these fixes have something to do with the CVE-2013-0422 but in Oracle’s description  at least the first fix seems to be related.

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 7u11 are specified in the following table:

JRE Family Version JRE Security Baseline
(Full Version String)
7 1.7.0_11
6 1.6.0_37
5.0 1.5.0_38
1.4.2 1.4.2_40

If you have Java 6, you can see here more details about how to upgrade.

I strongly suggest that if possible, to uninstall any older Java version and install only the latest.

 

So, is this the end of this escalation ? No, by far no.

We have seen that Oracle is able to work fast and under a huge international pressure. This is good, but those who know how software development works also know that developing critical software under pressure has only one consequence: even more bugs.

That’s why we still recommend to keep Java deactivated unless you desperately need it for your work. Consider as an alternative to have a browser with Java activated for use with the Java based applications you need and another browser without Java for everyday use.

After performing the installation, you can double check the Java version by visiting this page.

 

Sorin Mustaca

IT Security Expert