Oracle Issues Emergency Java Update In Wake Of Ongoing Attacks

By Robert Westervelt
March 04, 2013 4:59 PM ET

Oracle is rushing out an emergency update for Java, repairing two vulnerabilities, including one that is currently being exploited in ongoing attacks.

Both flaws affect the Java component in Web browsers. FireEye detected one the vulnerabilities last week and indicated that it was being used to spread a remote access Trojan onto victim's computers, giving cybercriminals full control of the machine.

Both vulnerabilities affect the 2D component of Java SE, wrote Eric Maurice, Oracle's director of software assurance, in the company blog. The flaws are relatively easy for an attacker to exploit, which increases the likelihood of more widespread attacks targeting them.

Maurice said the flaw was originally reported to Oracle Feb. 1, but it was received too late to be included in a security update issued Feb. 19. "In light of the reports of active exploitation of CVE-2013-1493, and in order to help maintain the security posture of all Java SE users, Oracle decided to release a fix for this vulnerability and another closely related bug as soon as possible through this Security Alert," Maurice wrote.

Attacks targeting the coding error were detected on malicious websites. "Successful exploits can impact the availability, integrity, and confidentiality of the user's system," Oracle said in its security advisory.

The update can be applied by desktop users at Java.com. Maurice said Oracle has switched security settings to "high" by default, requiring users to authorize the execution of Java applets in the browser.

Oracle has increasingly come under pressure to address Java security issues. A researcher on Monday issued a warning about potentially five other Java zero-day vulnerabilities. Poland-based Security Explorations said the coding errors could be used to bypass browser sandboxing restrictions for Java.

Oracle issued its last Java update Feb. 19 and addressed five vulnerabilities for the Java browser component. The security issues impacting Java has prompted Apple to blacklist outdated Java plug-ins in Safari.

PUBLISHED MARCH 4, 2013

To continue reading this article, please download the free CRN Tech News app for your iPad or Windows 8 device.

Related: Videos | Slide Shows | Comments

SHARE THIS ARTICLE

More Security

Comments by Vanilla

Recent Articles

	Head-To-Head: Symantec Vs. McAfee In Endpoint Protection McAfee and Symantec are archrivals with a firm grip on the North American security market. CRN pits both vendors' endpoint security products against each other and names a winner.
	The 8 Steps Behind The Massive $45M Cyber Bank Heist More than $45 million was stolen from banks in the U.S. and 19 other countries in a scheme that law enforcement is calling an international conspiracy to drain millions from bank accounts using stolen debit cards and PIN numbers. Here's how they did it.
	Name Of The Game: Top 10 States For Identity Theft A Federal Trade Commission report provides statistics on identity theft and fraud complaints in 2012. Learn which state has the dubious distinction of having the most victims.
	More Slide Shows