Oracle patches latest zero-day vulnerabilities in Java
The emergency fix repairs two vulnerabilities that can be remotely exploited by a malicious website
IDG News Service - Oracle released two out-of-band patches on Sunday for vulnerabilities in its Java programming language, both of which pose a high risk to users browsing the web.
The company's speed in issuing patches may be due to part that exploit code for at least one of the vulnerabilities, CVE-2013-0422, has already been wrapped into two "exploit kits" or packages of attack code inserted into websites that already have other vulnerabilities. The problem became public last week.
"Oracle recommends that this security alert be applied as soon as possible because these issues may be exploited 'in the wild' and some exploits are available in various hacking tools," wrote Oracle's Eric Maurice[cq] on the company's security blog.
Both vulnerabilities expose users to the possibility of being attacked by a malicious "applet," which is a Java application that is downloaded from another server and runs if a user has Java installed. Applets are embedded in web pages and run in the browser.
If a user browsed to a website rigged with an exploit pack, malicious software can be unnoticeably delivered, making it one of the most dangerous kinds of attacks.
The affected software platforms are any system using Oracle's Java 7 (1.7, 1.7.0) through the 10th update, according to an advisory from the U.S. Computer Emergency Readiness Team. That also includes Java Platform Standard Edition 7, Java SE Development Kit and Java SE Runtime Environment.
The vulnerability lies "in the way Java 7 restricts the permissions of Java applets could allow an attacker to execute arbitrary commands on a vulnerable system," US CERT said.
The second patch repairs a vulnerability, CVE-2012-3174, in Java that runs in web browsers, Oracle said. It also can be exploited remotely by tricking users into navigating to a booby-trapped website.
Maurice noted that the security fixes will also switch Java's security setting to "high" by default.
"The high security setting requires users to expressly authorize the execution of applets which are either unsigned or are self-signed," he wrote. "As a result, unsuspecting users visiting malicious web sites will be notified before an applet is run and will gain the ability to deny the execution of the potentially malicious applet."
Oracle has more patches coming on Tuesday. The company plans to release 86 patches covering security vulnerabilities in a variety of products, including 18 fixes for its MySQL database. Two of those MySQL vulnerabilities can be remotely exploited without requiring a username or password, according to Oracle.
Send news tips and comments to firstname.lastname@example.org. Follow me on Twitter: @jeremy_kirk
- Path Selection Infographic Path Selection Infographic
- Hyperconvergence Infographic A wide range of observers agree that data centers are now entering an era of "hyperconvergence" that will raise network traffic levels faster...
- Preparing Your Infrastructure for the Hyperconvergence Era From cloud computing and virtualization to mobility and unified communications, an array of innovative technologies is transforming today's data centers.
- How WAN Optimization Helps Enterprises Reduce Costs If you wanted to break down innovation into a tidy equation, it might go something like this: Technology + Connectivity = Productivity. Productivity...
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva.
- Cloud Knowledge Vault Learn how your organization can benefit from the scalability, flexibility, and performance that the cloud offers through the short videos and other resources... All Data Security White Papers | Webcasts
Our new weekly Consumerization of IT newsletter covers a wide range of trends including BYOD, smartphones, tablets, MDM, cloud, social and what it all means for IT. Subscribe now and stay up to date!