Oracle Releases Fix For Java Flaw
Posted on: 08/30/2012 05:02 PM
[
Comments
]
Oracle on Thursday released a new version of Java that included a fix for the CVE-2012-4681 vulnerability that has been used in limited targeted attacks in the last couple of weeks. The release of Java 7 update 7 comes about four days after the Java flaw was publicly disclosed, but several months after researchers say they notified Oracle of the problem.
Oracle didn't release a security advisory or acknowledge the vulnerability until releasing the new version, along with some release notes today. Security researchers say that the new version of Java prevents existing exploit code from working. Attackers have been using the Java vulnerability, which actually comprises two separate bugs, in attacks since at least early last week and many of the attacks have resulted in the installation of the Poison Ivy RAT, giving the attackers remote access to the machines.
The release notes for the Java 7 update contain a reference to the CVE-2012-4681 vulnerability and says that it's fixed in the new version.
"These vulnerabilities may be remotely exploitable without authentication, i.e., they may be exploited over a network without the need for a username and password. To be successfully exploited, an unsuspecting user running an affected release in a browser will need to visit a malicious web page that leverages this vulnerability. Successful exploits can impact the availability, integrity, and confidentiality of the user's system," Oracle's security advisory said.
"Due to the severity of these vulnerabilities, the public disclosure of technical details and the reported exploitation of CVE-2012-4681 'in the wild,' Oracle strongly recommends that customers apply the updates provided by this Security Alert as soon as possible."
Researchers at Polish firm Security Explorations said this week that they disclosed the two Java flaws in CVE-2012-4681 to Oracle about four months ago, but no patch was forthcoming until this week.
When the vulnerabilities became public knowledge on Sunday, researchers said that there already were targeted attacks exploiting the bugs. The early attacks have been traced to China and researchers found that one of the groups using the bugs was behind the so-called Nitro attacks against chemical companies and defense contractors last year. The group is using the same command-and-control infrastructure in the new wave of attacks.
Oracle didn't release a security advisory or acknowledge the vulnerability until releasing the new version, along with some release notes today. Security researchers say that the new version of Java prevents existing exploit code from working. Attackers have been using the Java vulnerability, which actually comprises two separate bugs, in attacks since at least early last week and many of the attacks have resulted in the installation of the Poison Ivy RAT, giving the attackers remote access to the machines.
The release notes for the Java 7 update contain a reference to the CVE-2012-4681 vulnerability and says that it's fixed in the new version.
"These vulnerabilities may be remotely exploitable without authentication, i.e., they may be exploited over a network without the need for a username and password. To be successfully exploited, an unsuspecting user running an affected release in a browser will need to visit a malicious web page that leverages this vulnerability. Successful exploits can impact the availability, integrity, and confidentiality of the user's system," Oracle's security advisory said.
"Due to the severity of these vulnerabilities, the public disclosure of technical details and the reported exploitation of CVE-2012-4681 'in the wild,' Oracle strongly recommends that customers apply the updates provided by this Security Alert as soon as possible."
Researchers at Polish firm Security Explorations said this week that they disclosed the two Java flaws in CVE-2012-4681 to Oracle about four months ago, but no patch was forthcoming until this week.
When the vulnerabilities became public knowledge on Sunday, researchers said that there already were targeted attacks exploiting the bugs. The early attacks have been traced to China and researchers found that one of the groups using the bugs was behind the so-called Nitro attacks against chemical companies and defense contractors last year. The group is using the same command-and-control infrastructure in the new wave of attacks.
Comments
