It’s discouraging when an application update is compromised before we’ve even had the chance to apply it.
Oracle has released Java 7 Version 13, hot on the heels of Version 11, to fix a zero-day exploit — and numerous other security flaws.
Oracle rushes out an oversized Java patch
In mid-January, Oracle released Java 7 Version 11, which I discussed in the Jan. 17 Patch Watch (paid section). Reportedly, less than a day after Version 11’s release, hacker sites were offering a newexploit for the update. Oracle had scheduled the next Java update for Feb. 19 but surprised us all by releasing Version 13 on Feb. 1. As noted in the Oracle Software Security Assurance Blog, the company accelerated the release because there are active, in-the-wild attacks.
Java 7 Version 13 (no word on what happened to Version 12) is no small fix. The Oracle blog post states that the update is critical and patches 50 security vulnerabilities, 44 of which are for browser versions of Java.
As Woody noted in his Jan. 24 Top Story, “Security alert: Remove Java from your browsers” — and I repeated in the companion story, “Java: More than the usual cup of coding coffee” — the best policy is to uninstall or disable Java if you don’t truly need it.
Those stories prompted a few reader emails asking about problems with the Java Control Panel, updated in Version 11. As I discussed in the Jan. 17 Patch Watch, the control-panel update can fail if you have older versions of Java still installed. Go into Windows’ application-removal tool and look for all Java entries. (You likely won’t find them by looking in the Java Control Panel.) Uninstall any that were installed prior to Version 11.
What to do: If you need Java, upgrade to Version 13 by using the Update Now button in the Java Control Panel; or use the download button on the Java website. And keep an eye out for that obnoxious offer for the Ask Toolbar.