Oracle has released an out-of-cycle security update to patch newly identified vulnerabilities in Java 7 that have been widely exploited, after the security community urged the company not to wait.
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
The Java vulnerabilities allow attackers to use a custom web page to force systems to download and run malware that does not have to be coded in Java.
Since the discovery of the vulnerabilities, there has been much speculation about whether Java custodian Oracle will consider the vulnerability serious enough to release an out-of-cycle security patch.
Security researchers warned that if Oracle had waited until its next scheduled patch release, Java users would have been at the mercy of various exploits until 16 October.
“Due to the severity of these vulnerabilities, the public disclosure of technical details and the reported exploitation of CVE-2012-4681 ‘in the wild’, Oracle strongly recommends that customers apply the updates provided by this security alert as soon as possible,” the company said.
Read more about zero-day Java exploit
The affected products and versions were listed as JDK and JRE7 update 6 and before, as well as JDK and JRE6 update 34 and before.
"These vulnerabilities are not applicable to Java running on servers or standalone Java desktop applications. They also do not affect Oracle server-based software," the alert said.
Oracle strongly recommends that customers apply the Java updates provided by this security alert as soon as possible
Emergency patch for serious threat
Because of Oracle’s record of almost never issuing out-of-cycle patches and the lack of any indications that it would do so, some security researchers scrambled to release an interim patch.
However, they expressed hopes that Oracle would consider the threat serious enough to release an emergency patch.
The first indication that Oracle would do so came from researchers at Security Explorations. Just ahead of Oracle’s announcement, the firm said they had reported the issue to Oracle in April 2012 and a recent status report showed that it has been addressed.