Oracle has released two out-of-band security updates for the latest zero day vulnerabilities in Java.
The patches come within days of reports that one of the vulnerabilities, CVE-2013-0422, was being exploited in the wild and had been added to the Blackhole and Nuclear Pack exploit kits.
Security researchers recommended that Java be disabled until a patch was released as the vulnerability can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.
The second patch repairs another vulnerability, CVE-2012-3174, that can be exploited remotely by tricking users into navigating to a compromised website.
In a blog post, Oracle said the vulnerabilities affect only Java 7 versions in web browsers, but do not affect Java on servers, Java desktop applications or embedded Java.
Unsuspecting users will gain the ability to deny the execution of a potentially malicious applet
“Oracle recommends that this Security Alert be applied as soon as possible,” the blog said.
In addition to fixes for CVE-2013-0422 and CVE-2012-3174, Oracle is switching Java security settings to “high” by default, which requires users to authorise the execution of applets which are either unsigned or self-signed.
“As a result, unsuspecting users visiting malicious websites will be notified before an applet is run and will gain the ability to deny the execution of the potentially malicious applet,” Oracle said.
The Java plug-in is popular with hackers as a means of carrying out drive-by download attacks through compromised websites.
Read more on Java security
- How to secure Java amid growing Java security vulnerabilities
- Java security problems: Is disabling Java the answer?
- Java zero-day vulnerability hits Metasploit and Blackhole
- Security researchers spot new zero-day Java vulnerability
- Java malware, fileless malware pose threats to desktop security
- Consider disabling Java as malware targets JRE vulnerabilities
Drive-by download attacks are set to remain a top attack method in 2013, according to the latest threat report from the European Union (EU) cyber security agency, Enisa.
The out-of-band patches come ahead of Oracle’s quarterly Critical Patch Update on 15 January. The company plans to release 86 patches covering security vulnerabilities in a variety of products.
The updates include 18 fixes for Oracle’s MySQL database. Two of those MySQL vulnerabilities can be remotely exploited without requiring a username or password.