On Tuesday a new Java exploit was spotted by FireEye, and by Wednesday it had gone on to infect thousands of machines. Oracle has scrambled to issue a patch, available as a free download at Oracle's website.
Java vulnerabilities are particularly concerning considering how widespread of a technology it is, used for web developers to make sites accessible across browser types. And to make things worse, its author, Oracle, moves slowly in terms of updating protection.
“Oracle,” said Intego, “is on a quarterly patch schedule, which means the next likely patch will not be released until October 16.”
However, Oracle quickly came to the fore with a fix in this case, a boon considering that the exploit was published on Hacker share-site Metasploit and added to the widely-used BlackHole exploit kit.
Sensing a clear and present danger, security experts had advocated disabling Java plug-ins in the wake of the exploit, which infected any machine visiting a compromised website with malware. Making matters worse, Oracle said that the vulnerability exists for all browsers running JRE 7 Update 6 and earlier (including JRE 6). Servers and standalone desktop apps are not at risk, however.
The patch appears to be a winner, even if hastily written. Rapid7, a security firm, issued a statement that it had successfully tested Oracle's update and found it to work well.