Oracle rushes out last-minute patch for vulnerabilities

Oracle has rushed out a patch to Java amid reports that yet another vulnerability is being exploited in the wild.

The latest patch puts the current versions of Oracle's software at Java 7, Update 17 and Java 6, Update 43.

On February 19, Oracle released an additional update to another critical patch from February 1. However, this did not address two recent vulnerabilities. These were given the Common Vulnerabilities and Exposures identifiers CVE-2013-1493 and CVE-2013-0809, with the former known to be abused by attackers.

"Though reports of active exploitation of vulnerability CVE-2013-1493 were recently received, this bug was originally reported to Oracle on February 1, 2013, unfortunately too late to be included in the February 19 release of the Critical Patch Update for Java SE," Oracle's director of software security assurance Eric Maurice wrote on the company's security blog.

According to Maurice, after Oracle received reports of CVE-2013-1493 being exploited in the wild, it decided to immediately release another emergency patch rather than wait for the original 16 April Critical Patch Update for Java SE.

"In light of the reports of active exploitation of CVE-2013-1493, and in order to help maintain the security posture of all Java SE users, Oracle decided to release a fix for this vulnerability and another closely related bug as soon as possible through this Security Alert."

The security alert for the vulnerability states that users who visit a malicious web page that uses the vulnerability could leave their computers open to exploitation without the need for a username or password. The vulnerability only exists in Java applets.

Apple also released a separate advisory of its own today, confirming the issue.

"Visiting a web page containing a maliciously crafted untrusted Java applet may lead to arbitrary code execution with the privileges of the current user," Apple's advisory said.