The Inquirer-Home

Apple and Oracle roll out patches for Java zero day flaws

Advise users to apply the patch as soon as possible
Tue Mar 05 2013, 13:48
Java logo

RECENTLY HACKED Apple and Oracle are rolling out patches that fix zero day flaws found in Java software running in web browsers.

The vulnerabilities identified in bulletins CVE-2013-1493 and CVE-2013-0809 were originally uncovered by researchers at security firm Fireeye, who said that their cloud security monitoring spotted online exploits in the wild targeting zero day flaws in Oracle's Java plugin.

Fireeye explained that the exploits attempted to target a remote code execution flaw and, when successful, download and execute a malware package.

Oracle issued a statement today announcing a Java update patching these vulnerabilities, called Security Alert CVE-2013-1493.

"Both vulnerabilities affect the 2D component of Java SE," Oracle explained. "These vulnerabilities are not applicable to Java running on servers, standalone Java desktop applications or embedded Java applications."

The company noted that the flaws are only present in client versions of Java, and "do not affect Oracle server-based software", so administrators will not need to update their Java servers to protect against attack.

Oracle recommends applying the patch as soon as possible. Desktop users on Windows and Linux can install the patch from java.com or through Java autoupdate, while Mac OS X users can obtain the fix through Apple's Software Update component.

Oracle hasn't been having the best time recently. This is the second time zero day exploits have been found in its Java software in the past eight weeks.

Back in January, a zero-day exploit was discovered in the wild and security vendors advised users to disable Java support in their computers in order to stay safe.

According to Trend Micro, the flaw was being used by toolkits like the Blackhole Exploit Kit (BHEK) and the Cool Exploit Kit (CEK) to distribute ransomware, particularly Reveton variants. µ

 

Share this:

blog comments powered by Disqus
Advertisement
Subscribe to INQ newsletters

Sign up for INQbot – a weekly roundup of the best from the INQ

Advertisement
INQ Poll

Microsoft's Windows 10 Preview has permission to watch your every move

Does Microsoft have the right to keylog users of its Windows 10 Technical Preview?