Flaw left millions of users vulnerable to remote hijacking
Oracle has broken out of its usual patch cycle to release an emergency fix for a critical bug that left millions of computers across the world vulnerable to hackers.
The flaw in Java 7 was revealed earlier this week by several security researchers, who said the bug affected all versions of Internet Explorer, Firefox and Opera. Google Chrome was at a lesser risk, researchers said.
The vulnerability enabled hackers to hijack a user’s machine and install malware on it. Due to the huge number of machines running Java millions of users across the world were at risk. Soon after details were released further reports emerged suggesting that attackers were already taking advantage of the flaw.
Oracle said the vulnerabilities are remotely exploitable without the need for a username or password.
The threat was clearly so severe that Oracle broke with tradition to release an out-of-cycle patch. Oracle’s next scheduled update is in October.
"Due to the high severity of these vulnerabilities, Oracle recommends that customers apply this Security Alert as soon as possible," said Eric Maurice on Oracle’s blog. "Furthermore, note that the technical details of these vulnerabilities are widely available on the Internet and Oracle has received external reports that these vulnerabilities are being actively exploited in the wild."
Maurice said the patch fixes, "three distinct but related vulnerabilities and one security-in-depth issue affecting Java running in desktop browsers. These vulnerabilities are not applicable to standalone Java desktop applications or Java running on servers, i.e. these vulnerabilities do not affect any Oracle server based software."
Needless to say, IT admins should be looking to update company PCs with the new patch as soon as possible.