Oracle releases patches for Java vulnerability CVE-2012-4681

Oracle has released a new patch which kills off a vulnerability in Java 7 that was being exploited by malware developers. “Due to the high severity of these vulnerabilities, Oracle recommends that customers apply this Security Alert as soon as possible,” Eric Maurice, the company’s director of software security assurance.

The out-of-band Security Alert CVE-2012-4681 includes fixes for “three distinct but related vulnerabilities and one security-in-depth issue” affecting Java running within the browser.

Users with vulnerable versions of Java installed can have malware silently planted on their systems just by browsing to a hacked or malicious website unknowingly.Java is a free programming language widely used to enable every day programs and website elements to function, including some games, apps and chat, as well as enterprise apps.

The attacks using this vulnerability so far have been Windows-based, the exploit was demonstrated on other platforms supported by Java 7, including OS X systems where the exploit was successfully run in the latest Safari and Firefox browsers in Mountain Lion.

The Java exploit, originally used for targeted attacks, went public last week and began to spread like wildfire after it was added to the popular BlackHole crimeware kit, making it easily accessible to all types of cybercriminals. The patches are emergency, out-of-schedule updates for Oracle. The company was not planning to release security updates for Java until October.

The Java 7 Update 7 patch can be downloaded from the Java SE Downloads Web page, and Oracle recommends that all users of Java 7 apply the update.