Oracle releases emergency fixes for Java 0day - Update

Oracle has released patches to close the holes in Java that allowed attackers to completely disable the security model of Java from untrusted code. The flaw affected versions all versions of Java 7 including the most recent, Java 7 Update 6. The fixes come in the form of a release of Java 7 Update 7 which, according to the advisory, corrects three critical vulnerabilities. Initial testing by The H's associates at heise Security has shown the fixes to be effective.

Java 7 Update 7 is now available to download for Windows (32- and 64-bit), Linux (32- and 64-bit), Mac OS X (64-bit), Solaris x86 (32- and 64-bit) and Solaris SPARC (32- and 64-bit). JDKs with the updated Java runtimes are also available. Users with Java installed on their systems, whatever operating system, should install the updates as soon as possible because malicious software that uses the vulnerability is already in circulation.

A fourth fix, a security-in-depth fix, which tightens up security in the AWT subcomponent is also included; the vulnerability involved cannot be exploited alone, but Oracle says it could be used in combination with other attacks. This flaw is not only corrected in Java 7 update 7, but also in Java 6. Java 6 Update 35 with the security-in-depth fix is available to download for the the same platforms, excluding Mac OS X.

Update - In the advisory, Oracle credits security expert Adam Gowdiak for the detection of the holes, confirming his statement that the company had known about the vulnerability since April.

OpenJDK developers have also had to release an update to the IcedTea Java runtime. IcedTea 2.3.1 includes the fixes for the 0day issue along with a number of other updates which had their release pre-empted by the security problems.

See also:

• Oracle Security Alert for CVE-2012-4681, Oracle advisory.
• The new Java 0day examined, a feature from The H.
  

(djwm)