Mere hours after news broke that five new vulnerabilities had been found, Oracle on Monday announced the release of Java 7 Update 17 to address two separate vulnerabilities. The patch is being shipped out of schedule because Oracle learned one of the flaws was being “actively exploited by attackers to maliciously install the McRat executable onto unsuspecting users’ machines.”
The last update was number 15, but Java security updates always come in odd numbers. If you use the plugin, you can download the latest update now from the Java Control Panel or directly from Oracle’s website here: Java SE 7u17.
The vulnerability already being exploited was discovered last week by security firm FireEye, which said it had been used “to attack multiple customers.” Oracle admitted it originally received reports of the bug (before it was exploited) on February 1. The company said by that time it was “unfortunately too late to be included in the February 19th release of the Critical Patch Update for Java SE” (for those keeping track, that’s Java 7 Update 15, which fixed five other vulnerabilities).
Here’s Oracle’s justification:
The company intended to include a fix for CVE-2013-1493 in the April 16, 2013 Critical Patch Update for Java SE (note that Oracle recently announced its intent to have an additional Java SE security release on this date in addition to those previously scheduled in June and October of 2013). However, in light of the reports of active exploitation of CVE-2013-1493, and in order to help maintain the security posture of all Java SE users, Oracle decided to release a fix for this vulnerability and another closely related bug as soon as possible through this Security Alert.
This is the first time we’re hearing about the second vulnerability, but it looks like the two are related as they both have to do with the 2D component of Java SE. The flaws only affect Java in Internet browsers, meaning they can only be exploited on desktops through Java Web Start applications or Java applets, which is exactly where criminals aim the majority of their attacks.
Earlier today, Security Explorations, the Polish security firm responsible for identifying the majority of the latest Java security holes, sent Oracle a vulnerability notice that included proof of concept code for five new flaws. Oracle confirmed it received the report today and has begun investigating.
Those vulnerabilities in question need to be linked together to bypass Java’s security checks. Security Explorations told us this particular set isn’t yet being used by attackers, to the company’s knowledge.
These five come following the discovery of two other 0-day vulnerabilities in Java. “0-day” or “zero-day” refers to a security hole that has not been publicly disclosed yet, and so doesn’t have a patch available.
That duo was also found by Security Explorations and disclosed to Oracle on February 25. Two days later, Oracle declared the first alleged issue was not a vulnerability but confirmed the second issue. Security Explorations disagreed with Oracle’s assessment regarding the first issue and Oracle agreed to investigate again after receiving further examples.
We recommend that regardless of what browser and operating system you are using, you should uninstall Java if you don’t need it. If you do need it, disable Java in your default browser, use a second browser when Java is required, and set your Java security settings to “High” so that it prompts you before loading an applet. That being said, make sure you’re on Java 7 Update 17 at the very least.
Image credit: Miguel Saavedra