Oracle releases fix for Java Zero-Day Vulnerabilities
Oracle has released an emergency security alert to patch the controversial CVE-2012-4681 vulnerability and two others in Java 7 running in web browsers on desktops. Standalone Java desktop applications and Java running on servers were not vulnerable.
“Due to the severity of these vulnerabilities, the public disclosure of technical details and the reported exploitation of CVE-2012-4681 `in the wild,’ Oracle strongly recommends that customers apply the updates provided by this Security Alert as soon as possible.” advised the company.
In the past few days, the security community has been informing users of these vulnerabilities and firmly advised them to uninstall Java from their browsers. Bitdefender Labs estimated that nearly 3 billion people were vulnerable to these bugs and HotForSecurity kept readers informed of developments from day one here and here.
Oracle explains in the Security Alert that “these vulnerabilities may be remotely exploitable without authentication, i.e., they may be exploited over a network without the need for a username and password. To be successfully exploited, an unsuspecting user running an affected release in a browser will need to visit a malicious web page that leverages this vulnerability.”
This patch protects Internet users against further exploitation of these three vulnerabilities that have already been used in targeted attacks and were available for purchase on underground forums in the Metasploit tool and Blackhole exploit kit for all those willing to pay for a cyber-attack gizmo.
Unfortunately, some computer users will remain vulnerable to these and other tools. Many people fail to update their software despite loud media and security industry information campaigns.