Oracle rushes out last-minute patch for vulnerabilities

Oracle rushes out last-minute patch for vulnerabilities

Summary: With reports of more Java vulnerabilities being exploited in the wild, Oracle has rushed out yet another patch ahead of its scheduled April update.

SHARE:
TOPICS: Security, Malware, Oracle
5

Oracle has rushed out a patch to Java amid reports that yet another vulnerability is being exploited in the wild.

The latest patch puts the current versions of Oracle's software at Java 7, Update 17 and Java 6, Update 43.

On February 19, Oracle released an additional update to another critical patch from February 1. However, this did not address two recent vulnerabilities. These were given the Common Vulnerabilities and Exposures identifiers CVE-2013-1493 and CVE-2013-0809, with the former known to be abused by attackers.

"Though reports of active exploitation of vulnerability CVE-2013-1493 were recently received, this bug was originally reported to Oracle on February 1, 2013, unfortunately too late to be included in the February 19 release of the Critical Patch Update for Java SE," Oracle's director of software security assurance Eric Maurice wrote on the company's security blog.

According to Maurice, after Oracle received reports of CVE-2013-1493 being exploited in the wild, it decided to immediately release another emergency patch rather than wait for the original 16 April Critical Patch Update for Java SE.

"In light of the reports of active exploitation of CVE-2013-1493, and in order to help maintain the security posture of all Java SE users, Oracle decided to release a fix for this vulnerability and another closely related bug as soon as possible through this Security Alert."

The security alert for the vulnerability states that users who visit a malicious web page that uses the vulnerability could leave their computers open to exploitation without the need for a username or password. The vulnerability only exists in Java applets.

Apple also released a separate advisory of its own today, confirming the issue.

"Visiting a web page containing a maliciously crafted untrusted Java applet may lead to arbitrary code execution with the privileges of the current user," Apple's advisory said.

Topics: Security, Malware, Oracle

Michael Lee

About Michael Lee

A Sydney, Australia-based journalist, Michael Lee covers a gamut of news in the technology space including information security, state Government initiatives, and local startups.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

5 comments
Log in or register to join the discussion
  • I love Java!

    I've done a bit of work in Java and it's really a wonderful language and technology. Oracle has been a horrible caretaker for it, though. Shame on them!
    edelbrp
  • Fixed but not available

    Seems Oracle isn't actually allowing Java 6 Update 43 to be downloaded (unless you give them money).

    http://www.oracle.com/technetwork/java/javase/eol-135779.html#Java6-end-public-updates
    Yet Another Know-it-all
  • So, uh, I have yet to see any compelling reason

    to use Java..... In light of so many exploits being discovered, one has to agree that Oracle has been a terrible "caretaker" - or should we just recognize that Oracle has been simply pawning off the largest exploit of all?????
    Willnott
    • Compelling reasons

      As a home user, yes, you have a choice and there isn't many compelling reasons to have Java. But, some corporate users simply don't have a choice if they want to use, say, the company's VPN.
      edelbrp
  • when you rush things

    There is always something missed or something left half-baked.
    That's been the problem with Java all along. I expect more of the same.
    Oracle needs to hire some Trustworthy Computing experts.
    hubivedder