Oracle is rushing out an emergency update for Java, repairing two vulnerabilities, including one that is currently being exploited in ongoing attacks.
Both flaws affect the Java component in Web browsers. FireEye detected one the vulnerabilities last week and indicated that it was being used to spread a remote access Trojan onto victim's computers, giving cybercriminals full control of the machine.
Both vulnerabilities affect the 2D component of Java SE, wrote Eric Maurice, Oracle's director of software assurance, in the company blog. The flaws are relatively easy for an attacker to exploit, which increases the likelihood of more widespread attacks targeting them.
Maurice said the flaw was originally reported to Oracle Feb. 1, but it was received too late to be included in a security update issued Feb. 19. "In light of the reports of active exploitation of CVE-2013-1493, and in order to help maintain the security posture of all Java SE users, Oracle decided to release a fix for this vulnerability and another closely related bug as soon as possible through this Security Alert," Maurice wrote.
Attacks targeting the coding error were detected on malicious websites. "Successful exploits can impact the availability, integrity, and confidentiality of the user's system," Oracle said in its security advisory.
The update can be applied by desktop users at Java.com. Maurice said Oracle has switched security settings to "high" by default, requiring users to authorize the execution of Java applets in the browser.
Oracle has increasingly come under pressure to address Java security issues. A researcher on Monday issued a warning about potentially five other Java zero-day vulnerabilities. Poland-based Security Explorations said the coding errors could be used to bypass browser sandboxing restrictions for Java.
Oracle issued its last Java update Feb. 19 and addressed five vulnerabilities for the Java browser component. The security issues impacting Java has prompted Apple to blacklist outdated Java plug-ins in Safari.
PUBLISHED MARCH 4, 2013