14 DAY TRIAL // Oracle has released an out-of-band patch to address a couple of Java vulnerabilities, including CVE-2013-1493, which is currently being exploited in the wild to push the McRat malware onto computers. Users are advised to update as soon as possible.
The security hole was reported by FireEye experts on February 1, the day on which Oracle released the first part of its Critical Patch Update (CPU).
“The company intended to include a fix for CVE-2013-1493 in the April 16, 2013 Critical Patch Update for Java SE (note that Oracle recently announced its intent to have an additional Java SE security release on this date in addition to those previously scheduled in June and October of 2013),” said Oracle software security assurance director Eric Maurice.
“However, in light of the reports of active exploitation of CVE-2013-1493, and in order to help maintain the security posture of all Java SE users, Oracle decided to release a fix for this vulnerability and another closely related bug as soon as possible.”
Maurice has once again highlighted that the company is committed to accelerating the release of security fixes for Java SE.
The Java patch comes only hours after Security Explorations announced finding five additional Java vulnerabilities which, when combined, could be exploited for a complete sandbox bypass.
Adam Gowdiak, CEO of Security Explorations, has told Softpedia that the vulnerabilities they’ve identified can still be exploited even after the latest update.
The first exploit, which experts reported to on February 25, relies on two vulnerabilities. The second exploit, reported on March 4, leverages five Java flaws. In both cases, all versions of Java 7, including Update 17, are impacted.
For the time being, there’s no evidence that any of them are being exploited in the wild. Hopefully, Oracle will address them before that happens.