Friday, March 8, 2013

[Sigh] Time to patch Java

Oracle today pushed out the third update in less than a month to fix critical vulnerabilities in its Java software. This patch plugs a dangerous security hole in Java that attackers have been exploiting to break into systems.

Java 7 Update 17 and Java 6 Update 43 address a critical vulnerability (CVE-2013-1493) in Java that security experts warned last week was being used in targeted attacks against high-profile targets.
It's being exploited in the wild, for pwnage and lulz.  Again.
“The company intended to include a fix for CVE-2013-1493 in the April 16, 2013 Critical Patch Update for Java SE (note that Oracle recently announced its intent to have an additional Java SE security release on this date in addition to those previously scheduled in June and October of 2013),” wrote Oracle’s Eric Maurice.  “However, in light of the reports of active exploitation of CVE-2013-1493, and in order to help maintain the security posture of all Java SE users, Oracle decided to release a fix for this vulnerability and another closely related bug as soon as possible through this Security Alert.”
You can get the patch at the link immediately above, or you can do like me and simply disable Java.  In Firefox you go to the pulldown Firefox menu (the orange box in the upper left corner of the browser window) and select "Add-ons".  You'll see Java.  If the box says "Enable", it means that it's turned off.

You find instructions on turning it off in other browsers here.


Alan said...

No one should be using Java at this point. It's hopelessly FUBARd.

Jake (formerly Riposte3) said...

How do you know it's time to patch Java? The name of the day ends with the letter "y".

TinCan Assassin said...

At this point it's more patch than program.