Oracle plugs 40 security holes in latest Java fix

Oracle advises uses to patch up immediately
Oracle advises uses to patch up immediately

Oracle keeps on releasing patches to bung up the veritable leaky bucket that is Java, with the latest fix addressing some 40 security holes.

Of those, 34 major security fixes bundled in the newly released Java 7 Update 25 (Java 7u25) affect client deployments of Java. 11 of those received the maximum score on Oracle's Common Vulnerability Scoring System (CVSS). Four vulnerabilities affect both client and server deployments, the most severe receiving a CVSS score of 7.5.

While some of the updates only patch particular versions of Java, most affect versions 7, 6 and 5. JavaFX 2.2.21 and earlier versions of JavaFX are also affected.

The patch has been released to fix some particularly gaping security holes, with all but three of them exploitable over the network without authentication. This means attackers can take control of users' computers that visit web pages with malicous embedded Java Web applications hosted on remote servers.

Severe vulnerabilities

In a company blogpost, Eric Maurice, Oracle's Director of Software Assurance, said: "Oracle recommends that this Critical Patch Update be applied as soon as possible because it includes fixes for a number of severe vulnerabilities.

"Note that the vulnerabilities fixed in this Critical Patch Update affect various components and, as a result, may not affect the security posture of all Java users in the same way."

Back in October, Oracle announced that it would be releasing Java updates on a quarterly basis. A number of companies have fallen foul to Java exploits this year, including Microsoft, Apple and Facebook.

Kane Fulton
Kane has been fascinated by the endless possibilities of computers since first getting his hands on an Amiga 500+ back in 1991. These days he mostly lives in realm of VR, where he's working his way into the world Paddleball rankings in Rec Room.