Oracle has released a “security alert” to address a Java SE zero day flaw that is now being used in targeted attacks, but that the company was aware of on February 1 -- over three weeks ahead of its previous critical patch update.
Oracle “strongly recommends” that customers apply the latest release of the software, Java 7 Update 17, due to recent attacks that exploit weaknesses in previous versions of Java 7 and Java 6 to install a Trojan on target systems.
The security alert fixes two flaws, including one CVE-2013-1493 that was being exploited to install the McRat Trojan. Security firm FireEye reported the exploit late last week, just 10 days after Oracle released Java 7 Update 15. Also, despite retiring Java SE 6 at Update 41 last month, Oracle has also released Java SE 6 Update 43 to address the vulnerabilities in that edition.
According to Eric Maurice, Oracle’s director of software assurance, February 1 was “too late” to include a fix for CVE-2013-1493 in the February 19 release.
“Though reports of active exploitation of vulnerability CVE-2013-1493 were recently received, this bug was originally reported to Oracle on February 1st 2013, unfortunately too late to be included in the February 19th release of the Critical Patch Update for Java SE,” Maurice explained.
The February 19 release included fixes for five flaws and followed an unscheduled release on February 1 that fixed 50 flaws across Java SE 6 and Java SE 7.
“The company intended to include a fix for CVE-2013-1493 in the April 16, 2013 Critical Patch Update for Java SE (note that Oracle recently announced its intent to have an additional Java SE security release on this date in addition to those previously scheduled in June and October of 2013)," said Maurice.
“However, in light of the reports of active exploitation of CVE-2013-1493, and in order to help maintain the security posture of all Java SE users, Oracle decided to release a fix for this vulnerability and another closely related bug as soon as possible through this Security Alert.”
The flaws do not affect Java on servers, standalone Java desktop applications, embedded Java applications or Oracle’s server-based software, it said in alert on Monday.