Oracle is out with its latest Critical Patch Update (CPU) release with Java SE 7 Update 25. The June release is part of Oracle’s regularly scheduled plan for Java updates, though don’t let that fool you; this update fixes some very high-risk issues of immediate importance.
In total, of the 40 flaws in the Java SE 7 Update 25 release, 37 are remotely exploitable.
“The majority are vulnerable through browser plugins, 11 of which are exploitable for complete control of the underlying operating system,” said Ross Barrett, senior manager of security engineering at Rapid7.
Oracle has made multiple efforts this year to try and secure Java. There is now a security settings option in Java and applets are supposed to be signed with valid X.509 code-signing certificates. Oracle also now has its own blacklist of of malicious applications and certificates.
Oracle’s efforts notwithstanding, not everyone believes that Java can be secured.
“Java is definitely a cesspool of vulnerabilities waiting to be discovered, some of which will be patched and exploited,” Jeremiah Grossman, founder and CTO of WhiteHat Security, told eSecurity Planet. ” The thing to closely monitor is how fast end-users are actually patching, not just how many vulnerabilities are being addressed when the patch is made available.”