Update Your Java to Patch 20 Vulnerabilities Or Just Disable it
Today, Oracle has released its quarterly Critical Patch Update (CPU) for the month of July, as part of its monthly security bulletin, in which it fixes a total of 113 new security vulnerabilities for hundreds of the company's products.

The security update for Oracle's popular browser plug-in Java addresses 20 vulnerabilities in the software, all of which are remotely exploitable without authentication, that means an attacker wouldn't need a username and password to exploit them over a network.

Oracle uses the Common Vulnerability Scoring System (CVSS) to provide an open and standardized rating of the security holes it finds in its products. One or more of the Java vulnerabilities received the most "critical" rating according to Oracle's Common Vulnerability Scoring System (CVSS), i.e. base score of 10 or near.

Although, numerous other Oracle products and software components addressed in the latest security updates, which address around 29 vulnerabilities in Oracle Fusion Middleware out of which 27 enable remote code execution, seven vulnerabilities in Hyperion products and five apiece for Oracle database and E-Business Suite. But, Java was the only impacted with security issues scoring the highest critical rating.

So, Java patches are the most urgent and should be at the top of your list, as one of the Java SE vulnerabilities (CVE-2014-4227) in this patch update, scores ten out of ten in the common vulnerability rating system, and seven of the other Java SE client vulnerabilities received a CVSS score of 9.3.

Oracle Database Server will also be updated for five vulnerabilities, one of which is remotely exploitable, while there will be 10 patches released for MySQL Server, but none of them are remotely exploitable.

The company recently announced that it would no longer support Java on Windows XP, though it expect Java 7 to continue to work on Windows XP platform and Oracle security updates for Java on XP machines will continue.
"This end of support announcement has been misread as 'Java no longer works on Windows XP' or 'Oracle will stop Java updates from being applied on Windows XP.' These statements are not correct," said Oracle vice-president of product management in the Java Platform Group Henrik Stahl.
"We expect all versions of Java that were supported prior to the Microsoft de-support announcement to continue to work on Windows XP for the foreseeable future. In particular, we expect that JDK 7 will continue to work on Windows XP."
However, Java 8 is not designed even to install on Windows XP operating system. So, the installer for the developer releases of Java 8 will not run on it without manual intervention.


Java runs on more than 850 million personal computers and on billions of devices worldwide, therefore protecting against Java zero-day exploits is a rising concern among millions of Windows, Mac OS, and Linux users.

Security experts recommend not installing Java if you don't already have it, and perhaps even disable it if you have it if you do not regularly use an application or visit any Web site that requires Java.
The company is urging its customers to update their systems as soon as possible. "Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Critical Patch Update fixes as soon as possible," the firm warned.

Oracle has published the full details about the list of patches here.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.