Oracle's emergency Java patch blocks zero-day exploits, researchers confirm

Fixes flaws that hackers have been using in an ever-increasing number of attacks

By , Computerworld |  Security, java, Oracle

Oracle today issued an emergency update to patch the critical vulnerabilities hackers have been using in increasing numbers to hijack Windows PCs.

According to Rapid7, the security firm that maintains the Metasploit open-source penetration framework, the so-called "out-of-band" update will stymie the current attack campaigns.

"It appears that it's effective in blocking the exploit," Tod Beardsley, the engineering manager for Metasploit, said early Thursday. "We just finished testing it 10 minutes ago."

Oracle posted the update -- designated "1.7.0_07-b10" -- published a bare-bones release note on its website, and followed that with an alert shortly after 1 p.m. ET listing the three security vulnerabilities addressed and a single defense-in-depth change it included.

The company also posted a short blog entry on the update.

Hackers had been exploiting two of the bugs for some time in targeted attacks, but in the last several days the scale of those campaigns had dramatically increased.

Adam Gowdiak, the founder and CEO of Polish security firm Security Explorations, who in early April reported the vulnerabilities, also confirmed that Thursday's Java update shuts down the in-use exploits.

"None of the original code that we sent to Oracle in April 2012 can be used to achieve a complete Java security sandbox bypass [after the update is applied]," said Gowdiak in an email reply to questions.

Yesterday, the IDG News Service, which like Computerworld is operated by IDG, reported that Gowdiak had told Oracle of the exploited flaws four months ago, on April 2.

Oracle did not give Gowdiak a heads-up that it would be shipping an out-of-band update today. "[But[ we expected that they would do this, taking into account the recent events surrounding the 0-day attack code and the widespread surprise that the serious security flaws we reported to the company in April 2012 had not been addressed earlier," said Gowdiak.

Gowdiak, Beardsley and others also commented on the unusual nature of an emergency update from Oracle.

Originally published on Computerworld |  Click here to read the original story.
Join us:






SecurityWhite Papers & Webcasts

See more White Papers | Webcasts

Ask a Question