Follow Us

We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message

Oracle pushes out Java patches as zero-day vulnerabilities exposed

Emergency fix blocks high-risk vulnerabilities exploited by malicious websites

Article comments

Oracle released two out-of-band patches on Sunday for vulnerabilities in its Java programming language, both of which pose a high risk to users browsing the web.

The company's speed in issuing patches may be due to part that exploit code for at least one of the vulnerabilities, CVE-2013-0422, has already been wrapped into two "exploit kits" or packages of attack code inserted into websites that already have other vulnerabilities. The problem became public last week.

"Oracle recommends that this security alert be applied as soon as possible because these issues may be exploited 'in the wild' and some exploits are available in various hacking tools," wrote Oracle's Eric Maurice[cq] on the company's security blog.

Both vulnerabilities expose users to the possibility of being attacked by a malicious "applet," which is a Java application that is downloaded from another server and runs if a user has Java installed. Applets are embedded in web pages and run in the browser.

If a user browsed to a website rigged with an exploit pack, malicious software can be unnoticeably delivered, making it one of the most dangerous kinds of attacks.

The affected software platforms are any system using Oracle's Java 7 (1.7, 1.7.0) through the 10th update, according to an advisory from the U.S. Computer Emergency Readiness Team. That also includes Java Platform Standard Edition 7, Java SE Development Kit and Java SE Runtime Environment.

The vulnerability lies "in the way Java 7 restricts the permissions of Java applets could allow an attacker to execute arbitrary commands on a vulnerable system," US CERT said.

The second patch repairs a vulnerability, CVE-2012-3174, in Java that runs in web browsers, Oracle said. It also can be exploited remotely by tricking users into navigating to a booby-trapped website.

Maurice noted that the security fixes will also switch Java's security setting to "high" by default.

"The high security setting requires users to expressly authorise the execution of applets which are either unsigned or are self-signed," he wrote. "As a result, unsuspecting users visiting malicious web sites will be notified before an applet is run and will gain the ability to deny the execution of the potentially malicious applet."

Oracle has more patches coming on Tuesday. The company plans to release 86 patches covering security vulnerabilities in a variety of products, including 18 fixes for its MySQL database. Two of those MySQL vulnerabilities can be remotely exploited without requiring a username or password, according to Oracle.



Share:

More from Techworld

More relevant IT news

Comments



Send to a friend

Email this article to a friend or colleague:

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

Techworld White Papers

Choose – and Choose Wisely – the Right MSP for Your SMB

End users need a technology partner that provides transparency, enables productivity, delivers...

Download Whitepaper

10 Effective Habits of Indispensable IT Departments

It’s no secret that responsibilities are growing while budgets continue to shrink. Download this...

Download Whitepaper

Gartner Magic Quadrant for Enterprise Information Archiving

Enterprise information archiving is contributing to organisational needs for e-discovery and...

Download Whitepaper

Advancing the state of virtualised backups

Dell Software’s vRanger is a veteran of the virtualisation specific backup market. It was the...

Download Whitepaper

Techworld UK - Technology - Business

Innovation, productivity, agility and profit

Watch this on demand webinar which explores IT innovation, managed print services and business agility.

Techworld Mobile Site

Access Techworld's content on the move

Get the latest news, product reviews and downloads on your mobile device with Techworld's mobile site.

Find out more...

From Wow to How : Making mobile and cloud work for you

On demand Biztech Briefing - Learn how to effectively deliver mobile work styles and cloud services together.

Watch now...

Site Map

* *