The Mac Security Blog

Security News

Oracle Issues Critical Updates for Java, Releases Java SE 8u45

Posted on by

Java for Mac Installs Ask toolbar

Oracle has released an update for Java SE that addresses 14 security bugs, all of which may be exploitable over a network without the need for a username and password.

With this update, after April 2015, Oracle will no longer post updates of Java SE 7 to its public download sites. Since January 2015, Oracle has been migrating Java 7 users who have the auto-update feature enabled over to Java 8, but if you haven’t converted yet, now is a good time to switch to the latest (more secure) update to Java 8 Update 45.

Supported Java versions that are affected by one or more vulnerabilities patched in this update include: Java SE 5.0u81, Java SE 6u91, Java SE 7u76, Java SE 8u40, Java FX 2.2.76 and JRockit R28.3.5.

Do you really need Java?

Java is widely installed across all operating systems, but due to the way Java applets can be embedded in web pages, the bug-riddled software is an easily exploitable attack vector. Although Java is on the decline, it still remains one of the most attractive targets for cyber-criminals.

If you have Java installed and need to use Java for websites or applications, it’s a good idea to take a few minutes to update this software. If you don’t have a need for it, you should consider removing Java altogether.

For those who wish to continue using Java, Brian Krebs via Krebs on Security provided some valuable methods you can use to help reduce your risk as a Java user. He said:

If you have an affirmative use or need for Java, there is a way to have this program installed while minimizing the chance that crooks will exploit unknown or unpatched flaws in the program: unplug it from the browser unless and until you’re at a site that requires it (or at least take advantage of click-to-play, which can block Web sites from displaying both Java and Flash content by default). The latest versions of Java let users disable Java content in web browsers through the Java Control Panel. Alternatively, consider a dual-browser approach, unplugging Java from the browser you use for everyday surfing, and leaving it plugged in to a second browser that you only use for sites that require Java.

Java vulnerabilities

For those of you interested, here’s a list of the vulnerabilities that Oracle patched in the latest Java update:

  • CVE-2015-0204 : Vulnerability in the Java SE, JRockit component of Oracle Java SE (subcomponent: JSSE). Very difficult to exploit vulnerability allows successful unauthenticated network attacks via SSL/TLS. Successful attack of this vulnerability can result in unauthorized update, insert or delete access to some Java SE, JRockit accessible data as well as read access to a subset of Java SE, JRockit accessible data.
  • CVE-2015-0458 : Vulnerability in the Java SE component of Oracle Java SE (subcomponent: Deployment). Very difficult to exploit vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution.
  • CVE-2015-0459 : Vulnerability in the Java SE, JavaFX component of Oracle Java SE (subcomponent: 2D). Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution.
  • CVE-2015-0460 : Vulnerability in the Java SE component of Oracle Java SE (subcomponent: Hotspot). Difficult to exploit vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution.
  • CVE-2015-0469 : Vulnerability in the Java SE component of Oracle Java SE (subcomponent: 2D). Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution.
  • CVE-2015-0470 : Vulnerability in the Java SE component of Oracle Java SE (subcomponent: Hotspot). Difficult to exploit vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized update, insert or delete access to some Java SE accessible data.
  • CVE-2015-0477 : Vulnerability in the Java SE component of Oracle Java SE (subcomponent: Beans). Difficult to exploit vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized update, insert or delete access to some Java SE accessible data.
  • CVE-2015-0478 : Vulnerability in the Java SE, JRockit component of Oracle Java SE (subcomponent: JCE). Difficult to exploit vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized read access to a subset of Java SE, JRockit accessible data.
  • CVE-2015-0480 : Vulnerability in the Java SE component of Oracle Java SE (subcomponent: Tools). Difficult to exploit vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized update, insert or delete access to some Java SE accessible data and ability to cause a partial denial of service (partial DOS) of Java SE.
  • CVE-2015-0484 : Vulnerability in the Java SE, JavaFX component of Oracle Java SE (subcomponent: JavaFX). Difficult to exploit vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized update, insert or delete access to some Java SE, JavaFX accessible data as well as read access to a subset of Java SE, JavaFX accessible data and ability to cause a partial denial of service (partial DOS) of Java SE, JavaFX.
  • CVE-2015-0486 : Vulnerability in the Java SE component of Oracle Java SE (subcomponent: Deployment). Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized read access to a subset of Java SE accessible data.
  • CVE-2015-0488 : Vulnerability in the Java SE, JRockit component of Oracle Java SE (subcomponent: JSSE). Easily exploitable vulnerability allows successful unauthenticated network attacks via SSL/TLS. Successful attack of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, JRockit.
  • CVE-2015-0491 : Vulnerability in the Java SE, JavaFX component of Oracle Java SE (subcomponent: 2D). Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution.
  • CVE-2015-0492 : Vulnerability in the Java SE, JavaFX component of Oracle Java SE (subcomponent: JavaFX). Difficult to exploit vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution.

For those who use Java, we recommend updating immediately. Java users can head over to Oracle’s website to download Java SE 8u45 as advised. Users running Java SE with a browser can download the latest release from Java.com.