Oracle patches critical Java vulnerability (but new exploit already discovered)

Oracle announced an out-of-cycle security update for Java 7 that addresses the critical 0-day exploit in Java that made the news earlier this week.

The updates were previously scheduled to be released on October 16, but growing media attention about the exploits urged Oracle to release an emergency update. Interestingly, Oracle knew about threse three vulnerabilities since April 2, 2012. Polish security startup Security Explorations disclosed 29 vulnerabilities in Java 7 to Oracle back in April, but only two issues were fixed in the last Java update, which was released on June 12. Oracle reportedly knew about these three vulnerabilities, as well as many other yet unpatched bugs, since April 2, 2012, according to Polish startup Security Explorations.

You can download the latest version of Java at Java.com, or use the plug-ins automatic update feature.

Oracle has just released Security Alert CVE-2012-4681 to address 3 distinct but related vulnerabilities and one security-in-depth issue affecting Java running in desktop browsers. These vulnerabilities are: CVE-2012-4681, CVE-2012-1682, CVE-2012-3136, and CVE-2012-0547. These vulnerabilities are not applicable to standalone Java desktop applications or Java running on servers, i.e. these vulnerabilities do not affect any Oracle server based software.

Vulnerabilities CVE-2012-4681, CVE-2012-1682, and CVE-2012-3136 have each received a CVSS Base Score of 10.0. This score assumes that the affected users have administrative privileges, as is typical in Windows XP. Vulnerability CVE-20120-0547 has received a CVSS Base Score of 0.0 because this vulnerability is not directly exploitable in typical user deployments, but Oracle has issued a security-in-depth fix for this issue as it can be used in conjunction with other vulnerabilities to significantly increase the overall impact of a successful exploit.

If successfully exploited, these vulnerabilities can provide a malicious attacker the ability to plant discretionary binaries onto the compromised system, e.g. the vulnerabilities can be exploited to install malware, including Trojans, onto the targeted system. Note that this malware may in some instances be detected by current antivirus signatures upon its installation.

Due to the high severity of these vulnerabilities, Oracle recommends that customers apply this Security Alert as soon as possible. Furthermore, note that the technical details of these vulnerabilities are widely available on the Internet and Oracle has received external reports that these vulnerabilities are being actively exploited in the wild.

Unfortunately, it seems it's back to the drawing board for Oracle as merely hours after the release of Java 7 Update 7, security researchers have already discovered a new vulnerability that allows a complete Java Virtual Machine sandbox escape. Security researcher Adam Gowdiak discovered Oracle only removed the "exploitation vector", and did not patch all exploitable vulnerabilities.

Security Explorations sent a report about the vulnerability to Oracle on Friday together with a proof-of-concept exploit, Adam Gowdiak, the security company's founder and CEO said Friday via email.

The company doesn't plan to release any technical details about the vulnerability publicly until Oracle addresses it, Gowdiak said.