By Joseph Menn
SAN FRANCISCO, April 16 (Reuters) – Oracle Corp
released a major security update on Tuesday for the version of
Java programming language that runs inside Web browsers to make
it a less popular target for hackers.
The patch fixes 42 vulnerabilities within Java, including
“the vast majority” of those that have been rated as the most
critical, said Oracle Executive Vice President Hasan Rizvi.
A series of big security flaws in the Java plug-in for
browsers have been uncovered in the past year by researchers and
hackers, and some have been used by criminal groups before
previous patches were issued.
One widespread hacking campaign disclosed this year infected
computers using Microsoft Corp’s Windows and Apple
software inside hundreds of companies, including Facebook, Apple
Inc and Twitter.
The situation grew so bad earlier this year that the U.S.
Department of Homeland Security recommended that computer users
disable Java in the browser. But many large companies use
internal software that relies on Java and have been pressing
Oracle to make the language safer.
Perhaps the most significant change will be that, in the
default setting, sites will not be able to force the small
programs known as Java applets to run in the browser unless they
have been digitally signed. Users can override that only if they
click to acknowledge the risk, Rizvi said.
Not all known problems are being fixed with the current
patch, but there are no unpatched problems that are being
actively exploited, Rizvi said.
Primarily a database software and applications company,
Oracle inherited Java when it bought Sun Microsystems in 2010.
It is the company’s greatest exposure to the mass market, as
versions of Java run on desktops, in telephones and other
devices and on servers.
The browser version, however, has been especially prone to
security problems.
Last year, Java surpassed Adobe Systems Inc’s
Reader software as the most frequently attacked piece of
software, according to security software maker Kaspersky Lab.
Java was the vehicle for 50 percent of all cyber attacks
last year in which hackers broke into computers by exploiting
software bugs, according to Kaspersky. That was followed by
Adobe Reader, which was involved in 28 percent of all
incidents. Microsoft Windows and Internet Explorer were involved
in about 3 percent of incidents, according to the survey.
Although no high-profile Oracle customers have publicly
threatened to desert the company over security issues, Rizvi
acknowledge widespread concern.
“It was pretty embarrassing what happened with the Facebook
attacks,” said IDC analyst Al Hilwa.
“It’s a fight for the Java plug-in’s life. Either a lot of
companies are going to turn these off, or they are going to have
their confidence restored.”
