14 Jan 2013
Oracle released an emergency software update to fix the Java vulnerability that allowed cyber-criminals to hack computers after a new zero-day exploit targeting Java 1.7 rev 10 was integrated into a specially tailored exploit kit.
The Oracle update changes the way Java interacts with Web applications and will fix the critical problem in Oracle's Java 7 that left web surfers vulnerable to attack, according to the company.
"The default security level for Java applets and web start applications has been increased from 'medium' to 'high," Oracle said in an advisory. "This affects the conditions under which unsigned (sandboxed) Java web applications can run. Previously, as long as you had the latest secure Java release installed applets and web start applications would continue to run as always. With the 'high' setting the user is always warned before any unsigned application is run to prevent silent exploitation."
Users now have to expressly authorize the execution of unsigned or self-signed applets that might be malicious.
The prompt reaction of the company may be due to the news that the Java vulnerabilities were already packed into two exploit kits.
"Oracle recommends that this security alert be applied as soon as possible because these issues may be exploited 'in the wild' and some exploits are available in various hacking tools," said Oracle's Eric P. Maurice on the company's security blog.
Last year, Java was hit by two major vulnerabilities that were rapidly included in the Blackhole exploit pack, one of the most dangerous hacking toolkits.