Database giant Oracle has issued an out-of-cycle emergency security update to Java that aims to patch several vulnerabilities that are being actively being exploited by cybercriminals. The update — Java Version 7 Update 7 — closes loopholes that potentially allow attackers to gain complete control of a computer over a network without a username or password; moreover, the vulnerabilities specifically apply to Java applications running in desktop Web browsers. While standalone Java applications and Java running on servers isn’t affected (and that includes Oracles own server-based software), it does mean folks who can run Java in a Web browser are vulnerable — and some estimates put that number at over a billion machines worldwide.
Oracle’s highly-unusual move to issue an out-of-cycle security update comes on the heels of the Java exploits being incorporated in the widely-used Blackhole cyberattack toolkit. Blackhole is a popular cut-and-paste exploit tool that comes pre-loaded with code designed to exploit flaws in things like Adobe Flash, Adobe Reader, and Java — it’s popular with cybercriminals who lack deep technical background because it’s relatively easy to use and is regularly updated with new exploits. Kaspersky Labs were apparently the first to report Blackhole had integrated the zero-day Java exploits; the news was quickly confirmed by security firms like Sophos and ESET.
However, the situation is more complicated. Researchers at Security Explorations claim they reported the vulnerabilities just patched by Oracle all the way back in April of 2012 — nearly six months ago. Moreover, Security Explorations claims that the latest update — Java 7 Update 7 — contains another vulnerability. If confirmed by Oracle, that means another Java update could be on the way in days — or, perhaps, in six months.
Java has been highlighted as a potentially massive security threat for years, but it’s only in 2012 that it’s jumped to the forefront of mainstream security topics, first with the Flashback malware that targeted Mac OS X systems, and now with zero-day exploits targeting desktop browsers with Java enabled.
As originally envisioned by Sun, Java was intended to be a write-once, run-anywhere language that would enable developers to write applications that could be run on any computer with a Java VM, regardless of platform. However, while Java technology has found widespread use in servers and mobile devices (the Dalvik Java virtual machine was the center of Oracle’s high-profile suit against Google over Android), the market dominance of Flash and now the ascendency of HTML5 technologies make Java on the desktop unnecessary for the vast majority of Internet users. Most security researchers recommend users uninstall or disable the Java Web plug-in in their browsers.
The current Java vulnerabilities are mostly applicable to Windows and Linux users. Most Mac users are immune from these particular Java exploits, even if they have Java installed. (Apple has not shipped Java by default with Macs for some time.) Java for OS X has not been updated to Java 7, so the only potentially-vulnerable Mac users are folks who have manually installed Java SE 7 on their own.