Although few people expected it (many hoped), Oracle has released an out-of-band patch to address the zero-day flaw that affects Java Runtime Environment (JRE) 7. Since attacks that rely on this vulnerability have already been spotted, the company advises users to immediately apply the patch.
The patch addresses a number of three different, but related, bugs that don’t affect standalone desktop applications or servers. However, they affect Java running on desktop web browsers.
“Due to the high severity of these vulnerabilities, Oracle recommends that customers apply this Security Alert as soon as possible,” said Eric Maurice, director of software security assurance at Oracle.
“Furthermore, note that the technical details of these vulnerabilities are widely available on the Internet and Oracle has received external reports that these vulnerabilities are being actively exploited in the wild.”
Yesterday we reported that users from the Netherlands were targeted with VAT rate increase emails that led to this particular exploit. Similar campaigns are most likely already active and new ones will probably emerge in the upcoming days.
It’s likely that this vulnerability will be exploited for quite some time because, as we’ve seen on numerous occasions, many users fail to apply patches in time.
Hopefully, at least companies will rush to apply the patch to ensure that cybercriminals are not able to disrupt their business workflow.
The fact that this JRE vulnerability caused so much havoc once again highlights a very important thing. Dangerous security holes are discovered all the time in Java, and although many users don’t actually utilize it, they keep it installed on their computers.
We advise you to take a good look at the applications you’re using and the websites you’re surfing. In case they don’t require Java (most of them don’t), be sure to uninstall it.
The latest (patched) version of Java Runtime Environment is available for download here.