Oracle has issued a critical security update to Java, repairing two widely exploited zero-day vulnerabilities.
Oracle strongly recommends that customers apply the updates provided by this Security Alert as soon as possible.
The latest version of Java comes a week after exploit code surfaced exploiting the vulnerabilities. In a security advisory issued Thursday, Oracle urged customers to apply the update.
"Due to the severity of these vulnerabilities, the public disclosure of technical details and the reported exploitation of CVE-2012-4681 'in the wild,' Oracle strongly recommends that customers apply the updates provided by this Security Alert as soon as possible," the company said."Successful exploits can impact the availability, integrity, and confidentiality of the user's system."
Tod Beardsley, Metasploit engineering manager at Boston-based Rapid7, said the patch appears to be effective at fixing the errors. Researchers reverse engineering the update say there may be additional fixes not outlined in the patch, he said.
"Going from public disclosure at the beginning of the week to having a patch from Oracle on Thursday is lightning quick," Beardsley said. "This may indicate a change from Oracle in that they may be more flexible at releases or it may indicate that their QA process is more mature."
In comparison, last year when Metasploit developers added the “Rhino exploit” module, it took Oracle six or more weeks before patch was released, Beardsley said.
Security researchers at Miami-based Immunity Inc. said the Oracle update may have patched as many as four Java vulnerabilities
"The update also patched at least two other vulnerabilities that were basically the same but related to constructors and fields and allowed an attacker to get any public constructor or any public field via reflection bypassing security checks," according to Immunity. "These two 'new' vulnerabilities patched combined with the MethodFinder weakness could allow you to bypass the Sandbox and obtain full execution on Linux, Windows and MacOSX."
A module targeting the Java flaws was also added to the Metasploit penetration testing tool earlier this week, making the code more publicly available. The cybercriminals behind the Black Hole exploit kit have also reportedly added the Java zero-days to the attack toolkit's arsenal. Security researchers at San Diego-based Websense confirmed the addition to Black Hole, releasing details in a blog entry on Wednesday.
Oracle remained tight-lipped throughout the week and did not publicly acknowledge the zero-day vulnerabilities. The Redwood Shores, Calif.-based security vendor did not respond to a request for an interview.
The attacks targeting the flaws have prompted experts to call on enterprise IT teams to restrict use of Java on endpoint desktops. Symantec on Thursday announced that its research team has detected the use of the Java zero-day exploits by the gang behind the Nitro Attacks targeting chemical companies.
"We can confirm that some of the attackers behind this round of attacks are actually the Nitro gang," Symantec said in its blog post outlining its findings.
Rather than an email attachment, the attackers are hosting the exploits on websites, luring victims into clicking a link to the malicious Web page.
"It is likely that the attackers are sending targeted users emails containing a link to the malicious jar file," Symantec said. "The Nitro attackers appear to be continuing with their previous campaign."