Oracle patches multiple Java zero-day holes, increases default security

Oracle has delivered on its promise to quickly make available a patch for the zero-day vulnerability discovered last week, but its patch doesn't just close off that hole, it closes off another that may have been lurking around for much longer.
Written by Michael Lee, Contributor

Last week, a researcher going by the name "kafeine" spotted a number of sites that were abusing a zero-day vulnerability in Java 7 Update 10. In the wild, the exploitation was confirmed by several others and was assigned a vulnerability identifier of CVE-2013-0422.

The vulnerability potentially put over 850 million PCs at risk, and was serious enough to warrant separate warnings from the US government, Apple, and Mozilla, each of which either took action themselves to disable Java plug-ins, or advise users not to use the software.

Today, Oracle released advice on the vulnerability, with Oracle Software Security Assurance Director Eric Maurice writing on one of Oracle's security blogs that the company's newest patch to Java 7 Update 11 mitigates CVE-2013-0422, but also CVE-2012-3174.

According to Oracle, the latter, "easily-exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols," and that a "successful attack of this vulnerability can result in unauthorised Operating System takeover, including arbitrary code execution."

Like CVE-2013-0422, it also affects Java 7 Update 10 and earlier. Similarly, it also received the maximum Common Vulnerability Scoring System (CVSS) score of 10.

While there appears to be no other details available for CVE-2012-3174, the Mitre Common Vulnerability and Exposures database shows that the identifier was assigned on June 6 last year. CVE identifiers can be assigned and reserved prior to a vulnerability being known, but are generally used within a short time of reservation. For comparison, CVE-2013-0422 was assigned on December 7 last year, roughly a month before it was first discovered by researchers.

Java 7 Update 11 also brings about one other change to beef up the security that already existed in Java. With the newest patch, the default Java Security Level will be changed from medium to high. This will result in the user always being prompted to run a Java applet or Web Start application if it is unsigned.

Users who are still running Java 7 Update 10 are advised by Oracle to immediately update to Java 7 Update 11, or otherwise follow the advice of uninstalling the software if it is not required. ZDNet has prepared a guide for users who wish todisable Java in their browser on Windows and Macs.

For those that need the software, Java's in-built updater should allow users to update, but further patch notes and resources for administrators using Java's development kit are available from Oracle's website.

Editorial standards