Oracle has released another emergency Java patch to address the latest in-the-wild exploits, which is being used...
to install a remote-access Trojan known as McRat.
The company said users should apply this update "as soon as possible" due to "the severity of these vulnerabilities".
The security update, which addresses two vulnerabilities, is available through Oracle's Technology Network or through Java’s auto-update facility.
"These vulnerabilities may be remotely exploitable without authentication, i.e., they may be exploited over a network without the need for a username and password," said an Oracle security alert.
"For an exploit to be successful, an unsuspecting user running an affected release in a browser must visit a malicious web page that leverages these vulnerabilities. Successful exploits can impact the availability, integrity and confidentiality of the user's system," said the alert.
The McRat Trojan has been installed by exploiting the vulnerabilities in Java versions 1.6 Update 41 and 1.7 Update 15, which are the latest available releases.
Once installed, McRat contacts command and control servers, and copies itself into all files in Windows systems.
READ MORE ON JAVA SECURITY
- Oracle rushes out another Java update
- Oracle rushes out patches for Java zero days
- Disable Java to protect from latest zero-day
- How to secure Java amid growing Java security vulnerabilities
- Apple releases security update for Mac OS X following Java malware attack
- Java vulnerabilities continue to crop up with Java 7, Update 11 release
- Oracle releases emergency patch for Java
- Java security problems: Is disabling Java the answer?
Spate of emergency patches
The security update is the latest in a series Oracle has been forced to release in recent weeks to address newly discovered vulnerabilities in the ubiquitous software.
Oracle discovered the two new exploits only days after scheduling its last update for a zero-day vulnerability in February.
Rather than wait to include the patch in its scheduled quarterly April update, Oracle issued an out-of-band emergency patch.
"To help maintain the security posture of all Java SE users, Oracle decided to release a fix for this vulnerability and another closely related bug as soon as possible," wrote Oracle software security assurance director Eric Maurice in a blog post.
At the same time as the Java update from Oracle, Apple released an updated version of Java 6 to prevent malicious software being installed on Macs, according to AppleInsider.
Java vulnerabilities affect web browsers
High-profile companies such as Microsoft, Apple and Facebook have all recently disclosed that some of their computers were compromised by exploits of the Java plug-in for browsers that were linked to a developer website.
In January, Apple blocked Java from some of its Macs using its XProtect anti-malware tool, citing security vulnerabilities, and in February it released a security update for the Mac OS X operating system to protect against the malicious software used in an attack on the company’s computer systems.
The US Department of Homeland Security also said in January that computer users should disable Java on their web browsers to protect against any potentially unpatched vulnerabilities.
According to Oracle, the most recent vulnerabilities apply only to Java running in web browsers and not Java running on servers, desktop applications or embedded applications.