A significant patch to Oracle's Java SE was released today, two weeks ahead of schedule. According to the advisory accompanying the update, fully 49 of the 50 fixes contained in the patch are remotely exploitable.
Writing in a blog, Software Security Assurance Director Eric Maurice said the company "decided to accelerate the release of this Critical Patch Update because active exploitation 'in the wild' of one of the vulnerabilities affecting the Java Runtime Environment (JRE) in desktop browsers, was addressed."
This is not the first out-of-band update to Java this year. A zero-day vulnerability that was spotted in the wild was patched on Jan. 13 -- only to have two new Java vulnerabilities announced within days.
The large number of significant security issues has caused discussion in some security circles about whether Java should remain in general use, but has also engendered some criticism of Oracle for not communicating its plans for dealing with Java security concerns. Milton Smith, Java's senior principle security product manager, said in a recorded conference call that, "The plan for Java security is really simple. It's to get Java fixed up," he said. "And then number two, to communicate our efforts widely."