Oracle rushes out last-minute patch for vulnerabilities

Summary:With reports of more Java vulnerabilities being exploited in the wild, Oracle has rushed out yet another patch ahead of its scheduled April update.

Oracle has rushed out a patch to Java amid reports that yet another vulnerability is being exploited in the wild.

The latest patch puts the current versions of Oracle's software at Java 7, Update 17 and Java 6, Update 43.

On February 19, Oracle released an additional update to another critical patch from February 1. However, this did not address two recent vulnerabilities. These were given the Common Vulnerabilities and Exposures identifiers CVE-2013-1493 and CVE-2013-0809, with the former known to be abused by attackers.

"Though reports of active exploitation of vulnerability CVE-2013-1493 were recently received, this bug was originally reported to Oracle on February 1, 2013, unfortunately too late to be included in the February 19 release of the Critical Patch Update for Java SE," Oracle's director of software security assurance Eric Maurice wrote on the company's security blog.

According to Maurice, after Oracle received reports of CVE-2013-1493 being exploited in the wild, it decided to immediately release another emergency patch rather than wait for the original 16 April Critical Patch Update for Java SE.

"In light of the reports of active exploitation of CVE-2013-1493, and in order to help maintain the security posture of all Java SE users, Oracle decided to release a fix for this vulnerability and another closely related bug as soon as possible through this Security Alert."

The security alert for the vulnerability states that users who visit a malicious web page that uses the vulnerability could leave their computers open to exploitation without the need for a username or password. The vulnerability only exists in Java applets.

Apple also released a separate advisory of its own today, confirming the issue.

"Visiting a web page containing a maliciously crafted untrusted Java applet may lead to arbitrary code execution with the privileges of the current user," Apple's advisory said.

Topics: Security, Malware, Oracle

About

A Sydney, Australia-based journalist, Michael Lee covers a gamut of news in the technology space including information security, state Government initiatives, and local startups.

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.