Security Explorations experts explain what has been fixed and what hasn't been
Oracle has released the February 2013 Critical Patch Update (CPU) for Java SE. The CPU has been released ahead of schedule (the initial date was February 19) because many of the vulnerabilities uncovered in Java are actively exploited in the wild.Besides security in-depth fixes, the February CPU for Java SE addresses a total of 50 vulnerabilities, 44 of which affect the client deployment of Java.
Three of the bugs can be exploited on desktops through Java Web Start and Java applets in the browser, or in servers, and two of the fixes apply to server deployment of the Java Secure Socked Extension (JSSE).
We’ve reached out to Security Explorations, the Polish company that’s responsible for identifying most of the latest vulnerabilities, to find out if any of the bugs they’ve uncovered remain unfixed.
“According to information received from Oracle on Feb 01, 2013 at 12:01 PM U.S. Pacific Time, Java SE Critical Patch Update released yesterday incorporates fixes for several critical security issues reported to the company since April 2012,” Adam Gowdiak, the CEO of Security Explorations said.
“This includes, but is not limited to the fix for a critical Issue 50 affecting all Java SE versions released over the recent 8 years time, but also the fixes for most recent Issues such as 52 and 53, with the latter allowing for a complete bypass of Java SE 7 new security features aimed at preventing silent exploitation of Java vulnerabilities,” he added.
“As of today, there is only one vulnerability left (Issue 51), which is yet to be addressed by Oracle.”
One noteworthy thing is that it took Oracle over 4 months to address “Issue 50,” despite the fact that it affected around 1 billion users, and despite the fact that Security Explorations demonstrated that it could be fixed in just 30 minutes.