Five vulnerabilities were patched in Java 7 Update 15 today, all of them remotely exploitable, and three of them rated of the highest criticality by Oracle.
Today’s fixes come 19 days after Oracle accelerated its regularly scheduled patch release to Feb. 1. That was in response to a zero-day exploit discovered Jan. 9 in a number of popular exploit kits; the exploits bypassed the Java sandbox. An emergecy Java update was relased Jan. 17, but it was incomplete, according to a number of researchers who were still able to bypass the sandbox security protections innate to the platform.
The three most severe vulnerabilities (CVE-2013-1487, CVE-2013-1486 and CVE-2013-1484) apply only to client deployments of Java, Oracle. said.
“This vulnerability can be exploited only through untrusted Java Web Start applications and untrusted Java applets,” Oracle said in its advisory, adding that both run in the sandbox with limited privileges. “Due to the severity of the vulnerabilities fixed in this Critical Patch Update, Oracle recommends that these fixes be applied as soon as possible.”
Apple, meanwhile, has pushed out a new version of Java 6 for Mac OS X users that removes the Java plug-in, forcing users to go to Oracle for Java downloads if so desired. The move is in response to a breach disclosure today from Apple, which admitted a number of Mac machines belonging to Apple employees were compromised by Java exploits. Apple said the attackers were the same group who hacked Facebook, which admitted a similar breach last Friday, and Twitter, which did likewise on Feb. 1.