Java Runtime Environment 7.0 Update 13, another try to fix the problem

[hclarkjr]

http://www.oracle.com/technetwork/java/javase/downloads/1880261

 

[pyonir]

Wait...what happened to 12? Did it ever even come out? I think I looked yesterday (might have been the day before) and it was still on 11. lol

 

[BrightCandle]

Java 7 has been a disaster from the outset. There were problems with the new garbage collection algorithm in the beginning that caused crashes, numerous changes that broke common tools and quite a few major security flaws. Since Oracle took over Java has been barely changed but the quality of the releases has plummeted.

In the past I would always move onto the latest as quickly as possible, but I really took my time with Java 7, the initial releases were just totally broken.

 

[Harvey]

Thenextweb.com reports that, according to Oracle, Update 13 addresses 50 vulnerabilities.

Oracle pushes Java 7 Update 13 out early, after one of 50 vulnerabilities addressed is exploited in the wild

Just a day after news broke that Apple had blocked Java for the second time this month, Oracle on Friday announced the release of Java 7 Update 13 to address 50 vulnerabilities. The patch comes more than two weeks early (the February 2013 Critical Patch was originally scheduled for February 19), but it was rushed out because Oracle was notified of “active exploitation in the wild of one of the vulnerabilities affecting the Java Runtime Environment (JRE) in desktop browsers.”

Oracle says after it received reports of a vulnerability in JRE, it quickly confirmed it and then proceeded with “accelerating normal release testing” for the regular Java update, which it says already contained a fix for the issue. “Oracle felt that, releasing this Critical Patch Update two weeks ahead of our intended schedule, instead of releasing a one-off fix through a Security Alert, would be more effective in helping preserve the security posture of Java customers,” the company said.

Oddly, the last update was number 11, and it’s not immediately clear what happened to twelfth. Nevertheless, if you use Java, you can download the latest update now from the Java Control Panel or directly from Oracle’s website here: Java SE 7u13.

Oracle says 44 of 50 vulnerabilities only affect Java in Internet browsers. This means they can only be exploited on desktops through Java Web Start applications or Java applets, but that’s exactly where consumers are hit.

Oracle is an enterprise company, however, and that is where its focus lies. Yet this rushed update, as well as recent security improvements, shows the company is starting to care more and more about all its Java users.

Three of the fixed vulnerabilities apply to client and server deployment of Java, meaning they can be exploited on desktops as well as servers (by supplying malicious input to APIs in the vulnerable server components). Two of the vulnerabilities only apply to server deployment and one vulnerability affects the installation of JRE.

It’s not clear which one of the 44 was being exploited in the wild, but multiple vulnerabilities have been publicly discussed since Update 11. For example, at least one was being sold for $5,000 on January 16, two we reported about on January 18, and another one was mentioned on January 28.

It will be a long time before I believe Oracle finally fixed everything. After years of screwing the security pooch over known security issues, I wouldn't trust the turkeys at Oracle to get it all right in one rushed patch.

 

[bruceb]

Mine gave me the auto update notification this morning. We shall see if they really got it right or if it will all be fixed in Java 8 which is due out this year.

 

[Gooberlx2]

Thenextweb.com reports that, according to Oracle, Update 13 addresses 50 vulnerabilities.



It will be a long time before I believe Oracle finally fixed everything. After years of screwing the security pooch over known security issues, I wouldn't trust the turkeys at Oracle to get it all right in one rushed patch.

I have no love of Oracle, but perhaps it could be argued that Sun was screwing the security pooch for ages, and Oracle is faced with cleaning up their mess?

 

[Crow550]

The one thing I hate with Java is that it does not auto update in the background which IMO it should as most users tend to ignore Java updates. I think Secunia PSI will auto update it?

I personally just uninstalled Java. None of the sites I regularly visit have complained.

 

[BrightCandle]

At the moment I have the JVM and Window 8 is crashing Minecraft. The JVM is seg faulting. I f I use the 32 bit version of Java it works but not the 64 bit. I have never had such severe problems with a JVM release in all my time programming Java (Since 1.0). Its alpha quality software, which considering its hit update 13 is shocking.

Honestly I would recommend everyone uninstall it, I highly doubt Oracle has fixed the issue and you really don't need it for the web anymore.