10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.975 High
EPSS
Percentile
100.0%
Oracle has released a new patch which kills off a vulnerability in Java 7 that was being exploited by malware developers. βDue to the high severity of these vulnerabilities, Oracle recommends that customers apply this Security Alert as soon as possible,β Eric Maurice, the companyβs director of software security assurance.
The out-of-band Security Alert CVE-2012-4681 includes fixes for βthree distinct but related vulnerabilities and one security-in-depth issueβ affecting Java running within the browser.
Users with vulnerable versions of Java installed can have malware silently planted on their systems just by browsing to a hacked or malicious website unknowingly.Java is a free programming language widely used to enable every day programs and website elements to function, including some games, apps and chat, as well as enterprise apps.
The attacks using this vulnerability so far have been Windows-based, the exploit was demonstrated on other platforms supported by Java 7, including OS X systems where the exploit was successfully run in the latest Safari and Firefox browsers in Mountain Lion.
The Java exploit, originally used for targeted attacks, went public last week and began to spread like wildfire after it was added to the popular BlackHole crimeware kit, making it easily accessible to all types of cybercriminals. The patches are emergency, out-of-schedule updates for Oracle. The company was not planning to release security updates for Java until October.
The Java 7 Update 7 patch can be downloaded from the Java SE Downloads Web page, and Oracle recommends that all users of Java 7 apply the update.