Oracle and Apple release Java security updates

Oracle and Apple have released emergency Java patches to address the latest in-the-wild exploits

Oracle has released another emergency Java patch to address the latest in-the-wild exploits, which is being used to install a remote-access Trojan known as McRat.

The company said users should apply this update "as soon as possible" due to "the severity of these vulnerabilities".

The security update, which addresses two vulnerabilities, is available through Oracle's Technology Network or through Java’s auto-update facility.

"These vulnerabilities may be remotely exploitable without authentication, i.e., they may be exploited over a network without the need for a username and password," said an Oracle security alert.

"For an exploit to be successful, an unsuspecting user running an affected release in a browser must visit a malicious web page that leverages these vulnerabilities. Successful exploits can impact the availability, integrity and confidentiality of the user's system," said the alert.

The McRat Trojan has been installed by exploiting the vulnerabilities in Java versions 1.6 Update 41 and 1.7 Update 15, which are the latest available releases.

Once installed, McRat contacts command and control servers, and copies itself into all files in Windows systems.

Arstechnica was among the first to report on the issue, as attacks were being triggered when people with a vulnerable Java version visited a booby-trapped website.


Spate of emergency patches

The security update is the latest in a series Oracle has been forced to release in recent weeks to address newly discovered vulnerabilities in the ubiquitous software.

Oracle discovered the two new exploits only days after scheduling its last update for a zero-day vulnerability in February.

Rather than wait to include the patch in its scheduled quarterly April update, Oracle issued an out-of-band emergency patch.

"To help maintain the security posture of all Java SE users, Oracle decided to release a fix for this vulnerability and another closely related bug as soon as possible," wrote Oracle software security assurance director Eric Maurice in a blog post.

At the same time as the Java update from Oracle, Apple released an updated version of Java 6 to prevent malicious software being installed on Macs, according to AppleInsider.

The latest Java update for OS X Lion and Mountain Lion is 63.84MB, while the Snow Leopard version is 69.32MB. Both can be downloaded from Apple's support web page or via Software Update.

Java vulnerabilities affect web browsers

High-profile companies such as Microsoft, Apple and Facebook have all recently disclosed that some of their computers were compromised by exploits of the Java plug-in for browsers that were linked to a developer website.

In January, Apple blocked Java from some of its Macs using its XProtect anti-malware tool, citing security vulnerabilities, and in February it released a security update for the Mac OS X operating system to protect against the malicious software used in an attack on the company’s computer systems.

The US Department of Homeland Security also said in January that computer users should disable Java on their web browsers to protect against any potentially unpatched vulnerabilities.

According to Oracle, the most recent vulnerabilities apply only to Java running in web browsers and not Java running on servers, desktop applications or embedded applications.



Read more on Hackers and cybercrime prevention