In light of the recent java security debacle, Oracle has released a critical patch update advisory. The patch contains over 50 new security fixes, the vast majority of them having the highest-possible severity score of 10.
Note: For the casual web user, please note that Java is not JavaScript. Java is a separate install/plug-in. If you don’t know you need Java you probably don’t, and you should disable it in your browser.
Oracle claims:
The original Critical Patch Update for Java SE – February 2013 was scheduled to be released on February 19th, but Oracle decided to accelerate the release of this Critical Patch Update because active exploitation “in the wild” of one of the vulnerabilities affecting the Java Runtime Environment (JRE) in desktop browsers, was addressed with this Critical Patch Update.
That’s a lot of severe critical vulnerabilities to be just sitting around waiting to be fixed. Seriously Oracle? You’re suppose to be an enterprise level company. This is highly unprofessional and borders on gross negligence.
This raises many questions, like: How many more are there? Why did you wait so long to release an update? We know that they didn’t just find 50 vulnerabilities just recently. These have probably been known for quite some time. I’m still trying to wrap my head around how that many vulnerabilities could go unpatched for so long. These weren’t just little things, these were level 10 items!