Category Archives: Patches and updates

Java 7 update 40 released with no announcement

A new version of Java was released yesterday with zero fanfare from Oracle. Presumably that’s because there are no security vulnerability fixes in this release, since normally there would be an announcement on Oracle’s Critical Patch Updates, Security Alerts and Third Party Bulletin blog.

The update is listed on the main release notes page for Java 7. The release notes page for 7u40 shows that there have been a lot of changes in this release, including some related to security, but no fixes for specific security vulnerabilities. The complete list of bugs fixed in this release is enormous.

It will be interesting to see what Adam Gowdiak says about this release, since some of the vulnerabilities he has reported still existed in the previous Java release, 7u25. Update 2013Sep24: According to the vendor log on the Security Explorations site, “Oracle provides a monthly status report for the reported issues. The company informs that Issue 69 is fixed in main codeline and is scheduled for a future CPU.” In other words, Issue 69 is STILL not fixed.

Patch Tuesday for September 2013

Another month, another pile of patches from Microsoft. This month there are fourteen bulletins, addressing security vulnerabilities in Windows, Internet Explorer, Office, and the .NET framework. Four of the bulletins are rated Critical.

As usual, the updates will become available after 10am PST from Windows Update.

The SANS Internet Storm Center has a detailed look at the vulnerabilities addressed by this month’s patches.

The Microsoft Security Response Center has a somewhat friendlier summary of this month’s updates.

Flash 11.8.800.168 fixes several security vulnerabilities

A new version of Flash was announced by Adobe today. Version 11.8.800.168 fixes four critical vulnerabilities. The official release announcement from Adobe provides details on all of the changes in this new version.

Anyone who uses a Flash-enabled web browser should install the new version as soon as possible. That includes anyone who uses Youtube.

The changes in this version will be ported to the Chrome web browser as embedded Flash version 11.8.800.170. Flash updates for Chrome tend to happen silently in the background. You can see what version of Flash Chrome is currently running by browsing to the chrome://flash/ page. Recently, the version of Flash in Chrome mysteriously rolled back to 11.8.800.97, so it will be interesting to see what happens with 11.8.800.170 (Chrome finally updated itself with Flash 11.8.800.170 on 2013Sep18, a delay of one week, which is somewhat alarming. The version of Chrome itself also changed at the same time, to 29.0.1547.76.)

Internet Explorer 10 on Windows 8 also uses embedded Flash code. Microsoft Security Advisory 2755801, now available from Windows Update, patches IE10 on Windows 8 to use the new Flash version 11.8.800.168.

Reminder: latest Java still vulnerable

The most up to date version of Java (7 Update 25) is vulnerable to an exploit reported to Oracle on 2013Jul18 by Adam Gowdiak of Security Explorations.

This is just the latest version-specific vulnerability in a long series of related vulnerabilities that are all based on a fundamental weakness of Java that has existed for over ten years and has yet to be properly addressed.

Oracle has assured Mr. Gowdiak that this vulnerability will be eliminated in Java 7 Update 40, to be released in September 2013. The good news is that no active exploits for this vulnerability have yet been discovered.

As always, we recommend that you use Java with caution. Disabling Java in your web browser can decrease your exposure to Java-based attacks.

Update 2013Sep11: Java 7 update 40 was released yesterday, but there do not appear to be any specific fixes for this or any other security vulnerability. Some security-related changes were made in 7u40, and those changes may mitigate the vulnerability reported by Mr. Gowdiak. We will await an update from Mr. Gowdiak for confirmation either way.

Update 2013Oct16: Mr. Gowdiak has confirmed that this issue was resolved in Java 7 Update 40.