Oracle has announced a security update for the zero-day flaw in Java that was widely reported last week that will be released soon.
According to a statement, it has released the security alert to fix the Java 7 Security Manager Bypass Vulnerability and another vulnerability affecting Java running in web browsers, which it rates as ‘high'.
It said: “These vulnerabilities may be remotely exploitable without authentication, i.e., they may be exploited over a network without the need for a username and password. To be successfully exploited, an unsuspecting user running an affected release in a browser will need to visit a malicious web page that leverages these vulnerabilities. Successful exploits can impact the availability, integrity and confidentiality of the user's system.”
It also acknowledged the public disclosure of technical details and the reported exploitation of CVE-2013-0422 in the wild, and strongly recommended that customers apply the updates provided by the security alert as soon as possible.
To be successfully exploited, an attacker needs to trick an unsuspecting user into browsing a malicious website and the execution of the malicious applet within the browser of the unsuspecting users then allows the attacker to execute arbitrary code in the vulnerable system. “These vulnerabilities are applicable only to Java in web browsers because they are exploitable through malicious browser applets,” it said.
However according to Polish research group Security Explorations, the update will leave several critical security flaws unfixed. The group claimed to have discovered several bugs in the software over the past year, but said that Oracle has not acknowledged the discovery of flaws, or added them to this or other patches.
Wolfgang Kandek, CTO of Qualys, said: “Oracle has made a statement that we can expect a fix for the current Java 7 zero-day vulnerability shortly, but has not given a specific date yet. However, next week on 15th January is Oracle's quarterly Critical Patch Update Tuesday when Oracle updates all of its other software packages with security fixes.”
The announcement came after the US Department of Homeland Security encouraged computer users to disable Java in web browsers, as attackers could trick targets into visiting malicious websites that would infect their PCs with software capable of exploiting the bug in Java.
“Due to the number and severity of this and prior Java vulnerabilities, it is recommended that Java be disabled temporarily in web browsers,” it said in its advisory.
“This and previous Java vulnerabilities have been widely targeted by attackers, and new Java vulnerabilities are likely to be discovered. We are currently unaware of a practical solution to this problem.”
Ross Barrett, senior manager of security engineering at Rapid7, said: “Oracle has moved quickly to release a fix for the vulnerability (CVE-2013-0422) which as of last week was publicly known to be ‘weaponised' in widely available black market exploit kits.
“This fix is available now as Java 7u11 and anyone who uses Java in their browser should update immediately. This fix changes the default Java browser security settings to require user consent to execute Java applets which are not digitally signed, or are self-signed, which indicates that Oracle has made a minor concession against ease-of-use to try to protect users from the next time a Java vulnerability is exploited in the wild.”