Oracle plugs critical Java vulnerability it knew of in February
Oracle has published a new security alert and released updates to Java 7, 6 and 5. The update fixes the hole recently discovered in the wild and now being identified as CVE-2013-1493, and, another flaw, CVE-2013-0809. Oracle says both flaws could be exploited over the network through untrusted Java Web Start applications or untrusted Java applets; the vulnerabilities are found in the 2D drawing functionality of Java.
According to a blog posting on Oracle's security blog, the fix for CVE-2013-1493 wasn't scheduled to be released until 16 April, when the company would have had it's next scheduled critical patch update (CPU) for Java. It was notified of the flaw on 1 February but says this was "unfortunately too late to be included" in the 19 February CPU. It was reports from FireEye at the end of February which nudged Oracle into realising the flaw was being actively exploited and that it needed to release an emergency update. The other flaw is described in the blog as "closely related" to the exploited hole.
The updated versions of Java are Java SE 7 Update 17, Java SE 6 Update 43 and Java SE 5 Update 41. Existing Java installations should auto-update. Updated Java runtimes can be downloaded from java.com while Java Development Kits can be downloaded from Oracle's Technology Network pages for Java developers. The next critical patch update is still scheduled for 16 April. Apple has also released updates for the versions of Java it maintains; Java for Mac OS X 10.6 Update 14 (for Snow Leopard) and Java for OS 2013-002 (for Lion and Mountain Lion) are now available and update an installed Java SE 6 to Update 43.
This update could also have fixes for many problems; new ones are being reported regularly, as evidenced by the number of flaws recently reported by Security Explorations researcher Adam Gowdiak to Oracle. To remain safe, The H's advice is to disable Java in the browser; this can be done on Windows through the Java control panel by selecting "Disable Java content in the browser" under the Security tab. If Java is occasionally needed, users should at least activate the click-to-play functionality in browsers such as Firefox and Chrome.