ID: IRCNE2013031774
Date: 2013-03-05
According to "cnet", in response to discovering that hackers were actively exploiting two vulnerabilities in Java running in Web browsers, Oracle has released an emergency patch that it says should deal with the problem.
"These vulnerabilities may be remotely exploitable without authentication, i.e., they may be exploited over a network without the need for a username and password," Oracle wrote in a security alert today. "For an exploit to be successful, an unsuspecting user running an affected release in a browser must visit a malicious web page that leverages these vulnerabilities. Successful exploits can impact the availability, integrity, and confidentiality of the user's system."
Hackers were recently found using one of the vulnerabilities to get into users' computers and install McRAT malware. Once installed, McRAT works to contact command, control servers, and copy itself into all files in Windows systems.
"In order to help maintain the security posture of all Java SE users, Oracle decided to release a fix for this vulnerability and another closely related bug as soon as possible," Oracle software security assurance director Eric Maurice wrote in a blog post today.
According to Oracle, the most recent vulnerabilities are only applicable to Java running in Web browsers -- they don't affect Java running on servers, standalone Java desktop applications, or embedded Java applications. They also do not affect Oracle server-based software.
Users can install and update their Java software by going to the Java Web site or through the Java auto update.
- 2