Risk management

Oracle releases emergency patch for Java

Warwick Ashford

Oracle has released an out-of-cycle security update to patch newly identified vulnerabilities in Java 7 that have been widely exploited, after the security community urged the company not to wait.

The move comes hot on the heels of news that the vulnerabilities were being used in targeted attacks and were available to users of the Metasploit tool and Blackhole exploit kit.

The Java vulnerabilities allow attackers to use a custom web page to force systems to download and run malware that does not have to be coded in Java.

Since the discovery of the vulnerabilities, there has been much speculation about whether Java custodian Oracle will consider the vulnerability serious enough to release an out-of-cycle security patch.

Security researchers warned that if Oracle had waited until its next scheduled patch release, Java users would have been at the mercy of various exploits until 16 October.

“Due to the severity of these vulnerabilities, the public disclosure of technical details and the reported exploitation of CVE-2012-4681 ‘in the wild’, Oracle strongly recommends that customers apply the updates provided by this security alert as soon as possible,” the company said.

The security alert said that the updates were aimed at addressing security issues CVE-2012-4681 and two other vulnerabilities affecting Java running in web browsers on desktops.

The affected products and versions were listed as JDK and JRE7 update 6 and before, as well as JDK and JRE6 update 34 and before.

"These vulnerabilities are not applicable to Java running on servers or standalone Java desktop applications. They also do not affect Oracle server-based software," the alert said.

Oracle strongly recommends that customers apply the Java updates provided by this security alert as soon as possible

Emergency patch for serious threat

Because of Oracle’s record of almost never issuing out-of-cycle patches and the lack of any indications that it would do so, some security researchers scrambled to release an interim patch.

However, they expressed hopes that Oracle would consider the threat serious enough to release an emergency patch.

The first indication that Oracle would do so came from researchers at Security Explorations. Just ahead of Oracle’s announcement, the firm said they had reported the issue to Oracle in April 2012 and a recent status report showed that it has been addressed.


Email Alerts

Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
 

COMMENTS powered by Disqus  //  Commenting policy