Oracle Corporation (NASDAQ:ORCL) has launched an emergency update to Java’s security, following calls for the company to disable certain software running on web browsers.
The Java SE 7 update 11 was issued on Sunday, and repairs a Security Manager bypass vulnerability and a remote code execution flaw in Java running in web browsers.
“Oracle recommends that this Security Alert be applied as soon as possible because these issues may be exploited ‘in the wild’ and some exploits are available in various hacking tools,” said the company in its security advisory.
Oracle Corporation (NASDAQ:ORCL) is the third largest software company in the world, and the largest database producer. The company fared better in 2012 that the previous year, with its market share increasing. However, the company is facing tough competition from International Business Machines Corp. (NYSE:IBM) and Microsoft Corporation (NASDAQ:MSFT), as it struggles with a less fruitful hardware division that somewhat offsets the successes of its software.
The recent update to Java changes the default security level of the software from Medium to High. This enables a security feature which prompts the user before running Java in the browser. Reports of hackers targeting a new Java zero-day vulnerability became apparent last week. Security experts, including the US Computer Readiness Team, have since then said that the only way to provide sufficient protection is to disable Java running in the browser.
Codes to exploit the vulnerabilities in the software were made publically available and incorporated into various exploit kits such as the ‘Black Hole’ exploit kit and the ‘Cool’ attack toolkit, amongst others. Security researchers are tracking 15-20 different attack kits, said Tim van der Horst, a senior malware researcher at California-based Blue Coat Systems. Horst said that many of the attack toolkits have similar features and are designed to get people running attacks quickly and easily – making the attacks widespread, according to the US Computer Readiness Team.
Oracle Corporation (NASDAQ:ORCL) says that Java needs to be re-enabled in order for the latest security update to be applied. Users running in-browser Java can get the latest security update from Java.com, while Windows users will receive automatic updates to fix the security issues in the software.
“Java has a massive install base,” said van der Horst.
“Java is a large space for them to attack, and you attack where you know there will be a reasonable percentage of people who would be vulnerable because that’s where the money is.”
Despite the security flaws, Oracle Corporation (NASDAQ:ORCL)’s shares have not suffered too badly. Today their stocks were down by 0.29 percent, to $34.76.