Oracle Corp released a major security update on Tuesday for the
version of Java programming language that runs inside Web browsers to
make it a less popular target for hackers. The patch fixes 42
vulnerabilities within Java, including "the vast majority" of those that
have been rated as the most critical, said Oracle Executive Vice
President Hasan Rizvi.
A series of big security flaws in the Java plug-in for browsers
have been uncovered in the past year by researchers and hackers, and
some have been used by criminal groups before previous patches were
issued. One widespread hacking campaign disclosed this year infected
computers using Microsoft Corp's Windows and Apple software inside
hundreds of companies, including Facebook, Apple Inc and Twitter.
The situation grew so bad earlier this year that the U.S.
Department of Homeland Security recommended that computer users disable
Java in the browser. But many large companies use internal software that
relies on Java and have been pressing Oracle to make the language
safer.
Perhaps the most significant change will be that, in the default
setting, sites will not be able to force the small programs known as
Java applets to run in the browser unless they have been digitally
signed. Users can override that only if they click to acknowledge the
risk, Rizvi said.
Not all known problems are being fixed with the current patch,
but there are no unpatched problems that are being actively exploited,
Rizvi said. Primarily a database software and applications company,
Oracle inherited Java when it bought Sun Microsystems in 2010. It is the
company's greatest exposure to the mass market, as versions of Java run
on desktops, in telephones and other devices and on servers.
The browser version, however, has been especially prone to
security problems. Last year, Java surpassed Adobe Systems Inc's Reader
software as the most frequently attacked piece of software, according
to security software maker Kaspersky Lab.