Oracle Issues Emergency Java Update In Wake Of Ongoing Attacks

By Robert Westervelt
March 04, 2013 4:59 PM ET

Oracle is rushing out an emergency update for Java, repairing two vulnerabilities, including one that is currently being exploited in ongoing attacks.

Both flaws affect the Java component in Web browsers. FireEye detected one the vulnerabilities last week and indicated that it was being used to spread a remote access Trojan onto victim's computers, giving cybercriminals full control of the machine.

Both vulnerabilities affect the 2D component of Java SE, wrote Eric Maurice, Oracle's director of software assurance, in the company blog. The flaws are relatively easy for an attacker to exploit, which increases the likelihood of more widespread attacks targeting them.

Maurice said the flaw was originally reported to Oracle Feb. 1, but it was received too late to be included in a security update issued Feb. 19. "In light of the reports of active exploitation of CVE-2013-1493, and in order to help maintain the security posture of all Java SE users, Oracle decided to release a fix for this vulnerability and another closely related bug as soon as possible through this Security Alert," Maurice wrote.

Attacks targeting the coding error were detected on malicious websites. "Successful exploits can impact the availability, integrity, and confidentiality of the user's system," Oracle said in its security advisory.

The update can be applied by desktop users at Java.com. Maurice said Oracle has switched security settings to "high" by default, requiring users to authorize the execution of Java applets in the browser.

Oracle has increasingly come under pressure to address Java security issues. A researcher on Monday issued a warning about potentially five other Java zero-day vulnerabilities. Poland-based Security Explorations said the coding errors could be used to bypass browser sandboxing restrictions for Java.

Oracle issued its last Java update Feb. 19 and addressed five vulnerabilities for the Java browser component. The security issues impacting Java has prompted Apple to blacklist outdated Java plug-ins in Safari.

PUBLISHED MARCH 4, 2013

To continue reading this article, please download the free CRN Tech News app for your iPad or Windows 8 device.

Related: Videos | Slide Shows | Comments

SHARE THIS ARTICLE

More Security

Comments by Vanilla

Recent Articles

	10 Emerging Security Technologies Gaining Interest, Adoption Despite some security defenses being only in their infancy, they are attracting interest for addressing BYOD issues, cloud security concerns and stolen account credentials. Here's a look at some of the top new security areas gaining industry interest.
	5 Government Intelligence Facilities You've Never Heard Of One facility has been around since the dawn of space exploration, while other buildings are still in construction. But, they all have serious data analysis and surveillance support activities associated with them.
	Data Breach Costs: 10 Ways You're Making It Worse A little planning and avoiding these 10 costly missteps can help mitigate the impact of a data security breach, according to the Ponemon Institute's latest research.
	More Slide Shows