Oracle releases Java SE 7 Update 13

  • 1 February 2013
  • 6 replies
  • 24 views

Userlevel 7
Oracle released Java 7 update 13 today. This release contains fixes for security vulnerabilities. More to read and download here or here
 
I rather don't want to polemize whether this build targets all vulnerabilities, surely not. I just wanted to let you know about this security update.

6 replies

Userlevel 7
Well, even if this update does not fix ALL of the issue, hopefully it is a good start on it!  Thank you for the heads up!
Userlevel 7
Badge +13
Excellent news.Thanks  for the information as i will update now.:D
Userlevel 7
@DavidP wrote:
Well, even if this update does not fix ALL of the issue, hopefully it is a good start on it!  Thank you for the heads up!
You're right David. It will be a long haul even if Oracle probably never completely succeed to fix everything, it's a feat hardly to accomplish. Look at Microsoft they have monthly patches all the time. However what Oracle must do and all Java users expect is to address all major vulnerabilities at least. Let's face it some minor bugs will be likely always there.
Userlevel 7
Badge +6
Java JRE sucks.
Userlevel 7
Badge +56
Oracle quitely releases Java 7u13 early
 
Published: 2013-02-01,
Last Updated: 2013-02-01 21:59:59 UTC
by Jim Clausing (Version: 2)
 
First off, a huge thank you to readers Ken and Paul for pointing out that Oracle has released Java 7u13.  As the CPU (Critical Patch Update) bulletin points out, the release was originally scheduled for 19 Feb, but was moved up due to the active exploitation of one of the critical vulnerabilities in the wild.  Their Risk Matrix lists 50 CVEs, 49 of which can be remotely exploitable without authentication.  As Rob discussed in his diary 2 weeks ago, now is a great opportunity to determine if you really need Java installed (if not, remove it) and, if you do, take additional steps to protect the systems that do still require it.  I haven't seen jusched pull this one down on my personal laptop yet, but if you have Java installed you might want to do this one manually right away.  On a side note, we've had reports of folks who installed Java 7u11 and had it silently (and unexpectedly) remove Java 6 from the system thus breaking some legacy applications, so that is something else you might want to be on the lookout for if you do apply this update. 
Update: (2013-02-01 22:00 UTC) Thanx to another Ken for pointing out that 26 of the CVEs have a CVSS base score of 10.0 and to Neil for pointing out that 6u39 is out, too.
 
Full Article
 
TH
Userlevel 7
Another hindsight on Update 13.
 
________________________________________________________________________________________________
 
Oracle pushes Java 7 Update 13 out early, after one of 50 vulnerabilities addressed is exploited in the wild

Just a day after news broke that Apple had blocked Java for the second time this month, Oracle on Friday announced the release of Java 7 Update 13 to address 50 vulnerabilities. The patch comes more than two weeks early (the February 2013 Critical Patch was originally scheduled for February 19), but it was rushed out because Oracle was notified of “active exploitation in the wild of one of the vulnerabilities affecting the Java Runtime Environment (JRE) in desktop browsers.”

Oracle says after it received reports of a vulnerability in JRE, it quickly confirmed it and then proceeded with “accelerating normal release testing” for the regular Java update, which it says already contained a fix for the issue. “Oracle felt that, releasing this Critical Patch Update two weeks ahead of our intended schedule, instead of releasing a one-off fix through a Security Alert, would be more effective in helping preserve the security posture of Java customers,” the company said.

Oddly, the last update was number 11, and it’s not immediately clear what happened to twelfth. Nevertheless, if you use Java, you can download the latest update now from the Java Control Panel or directly from Oracle’s website here: Java SE 7u13.

Oracle says 44 of 50 vulnerabilities only affect Java in Internet browsers. This means they can only be exploited on desktops through Java Web Start applications or Java applets, but that’s exactly where consumers are hit.

Oracle is an enterprise company, however, and that is where its focus lies. Yet this rushed update, as well as recent security improvements, shows the company is starting to care more and more about all its Java users.

Three of the fixed vulnerabilities apply to client and server deployment of Java, meaning they can be exploited on desktops as well as servers (by supplying malicious input to APIs in the vulnerable server components). Two of the vulnerabilities only apply to server deployment and one vulnerability affects the installation of JRE.

It’s not clear which one of the 44 was being exploited in the wild, but multiple vulnerabilities have been publicly discussed since Update 11. For example, at least one was being sold for $5,000 on January 16, two we reported about on January 18, and another one was mentioned on January 28. 
________________________________________________________________________________________________

Reply