Java Zero-Day Vulnerabilities Fixed By Oracle
We recently reported two Java zero-day vulnerabilities that were spotted in the wild by FireEye now identified as the CVE-2013-1493 and CVE-2013-0809. One of these (CVE-2103-1493) was exploited by hackers to install McRat, an executable file, onto the user's machine and was therefore found to be more critical than the other.
These vulnerabilities were reported to the company and were expected to be fixed in April's Critical Patch Update. But active exploitation of the above stated vulnerabilities has driven the company to roll out an Emergency update.
The company intended to include a fix for CVE-2013-1493 in the April 16, 2013 Critical Patch Update for Java SE (note that Oracle recently announced its intent to have an additional Java SE security release on this date in addition to those previously scheduled in June and October of 2013). However, in light of the reports of active exploitation of CVE-2013-1493, and in order to help maintain the security posture of all Java SE users, Oracle decided to release a fix for this vulnerability and another closely related bug as soon as possible through this Security Alert.
Previously, we suggested our users to uninstall Java if they didn't wanna be preyed upon via the McRat executable file but Oracle has been kind enough to provide us with a more suitable option to install the new version of Java or autoupdate it.
Desktop users should also be aware that Oracle has recently switched Java security settings to “high” by default. This high security setting results in requiring users to expressly authorize the execution of applets which are either unsigned or are self-signed. As a result, unsuspecting users visiting malicious web sites will be notified before an applet is run and will gain the ability to deny the execution of the potentially malicious applet. In order to protect themselves, desktop users should only allow the execution of applets when they expect such applets and trust their origin.
We would request our readers to update their versions of Java as soon as possible to refrain from being attacked. As they say, 'Prevention is better than cure'!
About the Author:
This article has been written by Dr. Sindhia Javed Junejo. She is one of the core members of RHA team.