Information Week | Dark Reading
Adobe Flash may be all the attack rage lately, but Oracle’s new pile of patches — including one for an 0day spotted in the wild — highlight how Java remains an attractive target.
…….Meanwhile, of the 25 CVEs patched in Oracle’s batch of security fixes, 24 of them affect Java SE 8, the newest version of Java. “Of the 25 CVEs fixed in this patch, 24 of them (96%) affect Java SE 8 which is the latest and most up-to-date Java version. This reveals that the security of Java’s APIs has not significantly improved over time. This is something of a paradox, since at Java’s inception is was specifically promoted as being a secure computing platform,” says Java expert and Waratek CTO John Matthew Holt.
Of the 25 flaws, 23 are remotely exploitable bugs that require no authentication, he says. “These are very serious and cover the maximum severity score of CVSS 10.0 — in other words, as bad as it gets,” Holt says.
Java SE 7 is no longer supported by Oracle, he notes, which is problematic for enterprises. “So Enterprises running Java SE 7 applications — which is virtually every large enterprise today — cannot automatically download and apply these important security fixes.”
According to Waratek, less than 10% of companies are running Java 8 in live production today and around 30% run Java 7.