Go ahead and update Java—or disable it if you don’t remember the last time you actually used it on the Web: Oracle’s latest patch, released Tuesday, fixes 25 vulnerabilities in the aging platform, including one that’s already being exploited in attacks.
In addition to Java, Oracle also updated a wide range of other products, fixing a total of 193 vulnerabilities, 44 stemming from third-party components.
The patched products include Oracle Database, Oracle Fusion Middleware, Oracle Hyperion, Oracle Enterprise Manager, Oracle E-Business Suite, Oracle Supply Chain Suite, Oracle PeopleSoft Enterprise, Oracle Siebel CRM, Oracle Communications Applications, Oracle Java SE, Oracle Sun Systems Products Suite, Oracle Linux and Virtualization, and Oracle MySQL.
Oracle released Java 8 Update 51, Java 7 Update 85 and Java 6 Update 101. However, only the Java 8 update is publicly available, because general support for Java 7 and Java 6 ended some time ago. Only customers with extended support contracts continue to get access to security patches for those versions.
Out of the 25 vulnerabilities fixed in Java, 23 can be exploited remotely without authentication. Sixteen flaws affect only the client deployment and five affect both client and server deployments.
One fix is specific to the Mac platform and four fixes are for the Java Secure Socket Extension (JSSE), said Eric Maurice, director of software security assurance at Oracle, in a blog post.
The most high-risk vulnerability fixed in this Java update is known as CVE-2015-2590 and had zero-day status until this update. This means attackers were already exploiting it while no fix was available.
An exploit for this vulnerability was recently uncovered by researchers from Trend Micro in attacks that targeted at the very least the armed forces of an unnamed NATO country and a U.S. defense organization.
The attacks were launched by a cyberespionage group known as Pawn Storm or APT28 that is believed to have ties to Russia’s intelligence services. The group has been active since 2007 and typically targets military, government and media organizations.
While Java is still widely used for Web-based applications in business environments, it’s rarely seen on consumer-oriented websites today. Therefore, many users don’t need the Java browser plug-in, which is the target of the majority of Java exploits.
Manually removing or disabling Java from every browser installed on a computer is possible, but the plug-in might get re-enabled with the next Java update. And uninstalling the Java runtime completely from the system is often not viable, because there are still popular desktop applications that need it.
Fortunately, Oracle added an option in the Java control panel that serves as a central place to disable support for Java-based content across all browsers.
For companies that do need Java support on the Web, defending against zero-day exploits can be a bit more complicated. However, there are options to significantly reduce the likelihood of attacks.
Internet Explorer has a feature that administrators can use to restrict which websites are allowed to load Java content, like only those hosting relevant business applications. And browsers like Mozilla Firefox and Google Chrome have a click-to-play option that can be used to prevent the automatic execution of Web-based Java content.