Skip to main content

Oracle Corporation

See All Stories
Site default logo image

Fool me twice: Apple releases Java update for the latest Zero Day

Screen Shot 2013-03-04 at 5.38.08 PM

Following a number of reports of new zero-day vulnerabilities in the Java browser plug-in, Oracle has today released an emergency update to Java 7 as Apple updates Java SE 6 to version 1.6.0_43.

Today Oracle released Security Alert CVE-2013-1493 to address two vulnerabilities affecting Java running in web browsers (CVE-2013-1493 and CVE-2013-0809).  One of these vulnerabilities (CVE-2013-1493) has recently been reported as being actively exploited by attackers to maliciously install the McRat executable onto unsuspecting users’ machines.  Both vulnerabilities affect the 2D component of Java SE.  These vulnerabilities are not applicable to Java running on servers, standalone Java desktop applications or embedded Java applications.  They also do not affect Oracle server-based software.  These vulnerabilities have each received a CVSS Base Score of 10.0.

Researchers from security firm FireEye warned users last week of yet another new Java zero-day vulnerability and recommended users disable Java until Oracle addresses the issue. Today, Oracle said it knew about the flaw since Feb. 1 but didn’t get around to patching it in the last release:

Though reports of active exploitation of vulnerability CVE-2013-1493 were recently received, this bug was originally reported to Oracle on February 1st 2013, unfortunately too late to be included in the February 19th release of the Critical Patch Update for Java SE

The company intended to include a fix for CVE-2013-1493 in the April 16, 2013 Critical Patch Update for Java SE (note that Oracle recently announced its intent to have an additional Java SE security release on this date in addition to those previously scheduled in June and October of 2013).  However, in light of the reports of active exploitation of CVE-2013-1493, and in order to help maintain the security posture of all Java SE users, Oracle decided to release a fix for this vulnerability and another closely related bug as soon as possible through this Security Alert.

Site default logo image

Java browser plug-in on OS X re-enabled with update to Java 7

Reports from earlier this week noted Apple had recently blocked Java 7 browser plug-ins again on OS X. While the exact reason was unclear, a terminal workaround is no longer required. Oracle released update 13 for Java 7 for Mac OS X today. The critical patch brings over 50 new security fixes for Jave SE products, in addition to re-enabling plug-ins on OS X.

The original Critical Patch Update for Java SE – February 2013 was scheduled to be released on February 19th, but Oracle decided to accelerate the release of this Critical Patch Update because active exploitation “in the wild” of one of the vulnerabilities affecting the Java Runtime Environment (JRE) in desktop browsers, was addressed with this Critical Patch Update.

Apple removes Java applet plugin from OS X, continuing push for plugin-free web

Site default logo image

Further pushing toward the idea of a plugin-free internet, Apple has issued an update to Java for OS X that removes the Java applet plugin. Attempting to use a Java applet through any OS X web browser will now prompt users to download the latest version directly from Java maker Oracle.

This is not the first time Apple has stopped shipping a specific browser plugin with their computers. With OS X Lion, users discovered that their Macs no longer came with Adobe’s oft-derided Flash Player plugin due to its instability and security issues. Apple has long held browser plugins in contempt, especially following the success of iOS, which hasn’t supported browser plugins at all in the past six years.

Just about every Mac Trojan/vulnerability over recent months and years has been related to outdated Java code. This move should close off those attack vectors.


Expand
Expanding
Close

Site default logo image

Oracle sues Lodsys, attempts to invalidate patents

Texas-based shell company Lodsys has often been accused of being a patent troll for its various attempts to take legal action against app developers and companies that it claims uses its technologies. Most notably, the company last year attempted to get iOS and Android developers to pay royalties over in-app purchasing before Apple’s legal team eventually intervened on behalf of developers. Now, after recent threats from Lodsys to Oracle customers such as Walgreens over a web-chat technology, Oracle is suing Lodsys in an attempt to invalidate its patents. GigaOM reported:

Oracle has decided to weigh in because Lodsys “has repeatedly threatened numerous Oracle customers” such as Walgreens over the use of a web-chat feature Lodsys claims to own. Oracle is asking the court to declare that the four patents Lodsys is using to bully its customers are not new inventions. The patents, including US Patent  5,999,908 (“customer based design module”), came to prominence last year when Lodsys used them to sue Best Buy, Adidas and others.

Apple generates four times more revenue for Google than Android devices

Site default logo image

Google gave a testimony to Congress last year claiming it earned two-thirds of its mobile revenue from iOS devices, but now it seems as though the company’s estimate might have been low.

Google made less than $550 million in revenues for Android between 2008 and 2011, while making four times as much revenue during the same period with Apple products that employ Google services like Search and Maps.

According to The Guardian, the settlement offer provided yesterday by Google to Oracle depicted Android’s revenue streams. Settlement discussions ordered by Judge William Alsup were derailed when Oracle rejected Google’s low offer to pay royalties on Android if alleged patent infringements deem true in court.

Reuters reported yesterday that the settlement stems from a 2010 lawsuit where Oracle claimed its Java-related patents were infringed by Android. Oracle acquired the intellectual property in question when it purchased Sun Microsystems in 2010.


Expand
Expanding
Close