Oracle patches two Java zero-day exploits

The update fixes a couple of issues affecting Java running in web browsers (CVE-2013-1493 and CVE-2013-0809). One of these vulnerabilities (CVE-2013-1493) was just uncovered as being actively exploited by attackers to maliciously install the McRat executable onto unsuspecting users’ machines. It is the latest vulnerability to the platform to be exposed.

“Not like other popular Java vulnerabilities in which security manager can be disabled easily, this vulnerability leads to arbitrary memory read and write in JVM process,” researchers at FireEye said. “After triggering the vulnerability, exploit is looking for the memory which holds JVM internal data structure like if security manager is enabled or not, and then overwrites the chunk of memory as zero. Upon successful exploitation, it will download a McRAT executable.”

Both vulnerabilities affect the 2D component of Java SE and affect browser plug-ins only: They are not applicable to Java running on servers, standalone Java desktop applications or embedded Java applications. They also do not affect Oracle server-based software.

The fix does not, however, address a new issue: yesterday Polish researchers at Security Explorations published a blog noting that it had discovered five new security issues in Java SE 7, which when combined together can be successfully used to gain a complete Java security sandbox bypass in the environment of Java SE 7 Update 15.

Oracle has not yet commented on this latest hole, but as Infosecurity previously reported, those same researchers last week uncovered what they say are two additional Java problems – only one of which Oracle accepted as being a true vulnerability.

Not that the software giant is standing idly by. Amidst what seems like an escalating number of Java exploits, Oracle has recently switched Java security settings to “high” by default. This high security setting results in requiring users to expressly authorize the execution of applets that are either unsigned or self-signed. As a result, unsuspecting users visiting malicious websites will be notified before an applet is run and will gain the ability to deny the execution of the potentially malicious applet.

Oracle reiterated that it is committed to accelerating the release of security fixes for Java SE, particularly to help address the security-worthiness of Java running in browsers. It also explained, “Though reports of active exploitation of vulnerability CVE-2013-1493 were recently received, this bug was originally reported to Oracle on February 1st 2013, unfortunately [its] too late to be included in the February 19th release of the Critical Patch Update for Java SE,” Oracle said in its blog, sounding almost sheepish in the lateness of the fix.

What’s Hot on Infosecurity Magazine?