Oracle has just released an update that is intended to patch up three "distinct but related vulnerabilities" as well as another serious security issue regarding Java running on desktop browsers.
More specifically, the security holes could be exploited over a network without needing a username and password if an unsuspecting user is running an affected release in a browser and then visits a malicious web page that leverages this vulnerability.
The possible outcome is that the vulnerabilities could be used to exploit personal data and accessibility of the user's system overall.
Oracle software security assurance director Eric Maurice explained in a blog post on Thursday that customers should apply the updates as soon as possible because many of the technical details related to the vulnerabilities are already widely available online.
If successfully exploited, these vulnerabilities can provide a malicious attacker the ability to plant discretionary binaries onto the compromised system, e.g. the vulnerabilities can be exploited to install malware, including Trojans, onto the targeted system. Note that this malware may in some instances be detected by current antivirus signatures upon its installation.
But Oracle asserts that the security vulnerabilities are not applicable to standalone Java desktop applications, Java running on servers, or any Oracle server based software.
However, there is a bit of a firestorm over the delay and quietness of Oracle's response to these issues. Some media outlets are pointing towards Polish security firm Security Explorations, which claimed that Oracle knew about these vulnerabilities for months.
To some degree, Oracle acknowledges this was Maurice pointed out that Oracle has received external reports that these vulnerabilities are already being actively exploited in the wild.
Despite brewing criticism towards the Java owner, the patches are available now, so don't delay in applying them if your system is at risk.