Oracle patches Java vulnerability

ENTERPRISE VENDOR Oracle has issued an emergency patch for zero day vulnerabilities in its Java platform.

The company said that the update patches four flaws, including zero day vulnerabilities that attackers have been actively exploiting in the wild. All users and administrators are being advised to update their systems with the fix immediately.

The update addresses flaws in both Java 6 and Java 7. The company said that, if targeted, the vulnerabilities could allow an attacker to remotely execute code on a targeted system. Oracle said that server installations and standalone Java applications are not considered to be vulnerable to attack.

The fix, which was not previously scheduled for release, is considered to be an out-of-band update. Such releases are usually only issued in cases of actively targeted zero day attacks on a component.

Earlier this week, security experts took Oracle to task for its handling of the issue, claiming that the company knew about the flaw for months without issuing a fix.

Sophos security advisor Chester Wisniewski said that companies whose systems do not require Java access should consider limiting their exposure to the flaws by disabling the component.

"The bigger question is, 'Do you really need Java?' If you can get by without it, you should," Wisniewski wrote in a company blog post.

"That is true for any application that interfaces with the internet. Fewer programs means fewer vulnerabilities." µ

This article was originally published on V3.