Monday, March 04, 2013

Another Out-of-Band Critical Java Security Update

java

Unfortunately, there are programs that require Java in order to function.  In the event you are not in a position to uninstall Java, please update to the latest version, Java 7 Update 17 (correct, Version 16 was skipped).

Although Oracle was planning to wait until April to update Java to address CVE-2013-1493, Java 7 Update 17 was released by Oracle today.  Security Alert CVE-2013-1493 addresses two vulnerabilities affecting Java running in web browsers (CVE-2013-1493 and CVE-2013-0809).

If Java is still installed on your computer, it is recommended that this update be applied as soon as possible due to the threat posed by a successful attack.

Java Security Recommendations

Although Oracle changed Java security settings to “high” by default, it is advised that users of Java confirm the setting.

With the setting at high, you will be prompted to authorize the execution of applets which are either unsigned or are self-signed, thus providing the ability to deny the execution of a potentially malicious applet.

Changing the setting to "Very High" will result in unsigned (sandboxed) apps not being able to run.

1)  In the Java Control Panel, set the security to high.
2)  Keep Java disabled until needed.  Uncheck the box "Enable Java content in the browser" in the Java Control Panel.

Java ControlPanel
(Image via Sophos Naked Security Blog)

3)  If you use Firefox, install NoScript and only allow Java on those sites where it is required.

Instructions on removing older (and less secure) versions of Java can be found at http://java.com/en/download/faq/remove_olderversions.xml

Download Information

Download link:  Java Version 7 Update 17

Verify your version:  http://www.java.com/en/download/testjava.jsp

Note: UNcheck any pre-checked toolbar and/or software options presented with the update. They are not part of the software update and are completely optional.

Critical Patch Updates

For Oracle Java SE Critical Patch Updates, the next scheduled dates are as follows:
  • 16 April 2013
  • 18 June 2013
  • 15 October 2013
  • 14 January 2014

    References





    Remember - "A day without laughter is a day wasted."
    May the wind sing to you and the sun rise in your heart...

    No comments: