It would seem that Oracle is getting serious about addressing security issues in Java. Late Monday the company pushed Java 7 Update 17 that fixes two security holes that were already being exploited in the wild.
The vulnerabilities addressed in Monday’s patch had been known since at least February 1 and were originally scheduled to be fixed in a scheduled security update in April, according to a security blog on the Oracle website:
“The company intended to include a fix for CVE-2013-1493 in the April 16, 2013 Critical Patch Update for Java SE (note that Oracle recently announced its intent to have an additional Java SE security release on this date in addition to those previously scheduled in June and October of 2013). However, in light of the reports of active exploitation of CVE-2013-1493, and in order to help maintain the security posture of all Java SE users, Oracle decided to release a fix for this vulnerability and another closely related bug as soon as possible through this Security Alert.”
As we reported yesterday, at least five additional security holes are currently known to exist in browser side Java. According to security researcher Adam Gowdiak, all five of these exploits would have to be used together to mount a serious attack. At present, no known exploit for these five new holes exists in the wild.
Oracle is recommending all users of browser side Java to apply the new patch ASAP:
“Desktop users can install this new version from java.com or through the Java autoupdate. Desktop users should also be aware that Oracle has recently switched Java security settings to ‘high’ by default. This high security setting results in requiring users to expressly authorize the execution of applets which are either unsigned or are self-signed. As a result, unsuspecting users visiting malicious web sites will be notified before an applet is run and will gain the ability to deny the execution of the potentially malicious applet. In order to protect themselves, desktop users should only allow the execution of applets when they expect such applets and trust their origin.”
Here at FOSS Force, we are continuing to recommend that users keep their Java browser plugins disabled until the security gurus say it’s safe to get back in the water. This includes users of all Linux distros, as these exploits can be used against the Penguin too.