Oracle has once again released an emergency Java update to patch zero-day vulnerabilities in the browser plug-in, the fifth time it has updated the platform this year. Today’s update patches CVE-2013-1493 and CVE-2013-0809, the former was discovered last week being exploited in the wild for Java 6 update 41 through Java 7 update 15.
The vulnerability allows for arbitrary memory execution in the Java virtual machine process; attackers exploiting the flaw were able to download the McRAT remote access Trojan. McRAT, as it turns out, is not a reliable exploit, experts at FireEye said last week, adding that the executable tries to overwrite a large memory chunk and does crash the JVM. If the executable does successfully install itself, it reaches out to a command and control server at 220.127.116.11 for more instructions. This is the same C2 server used in the attack on security company Bit9, FireEye said last week.
Oracle said CVE-2013-1493 was reported Feb. 1, too late to be included in its Feb. 19 Critical Patch Update for Java, and originally intended to sit on the fix until the next scheduled Java fix April 16.
“In light of the reports of active exploitation of CVE-2013-1493, and in order to help maintain the security posture of all Java SE users, Oracle decided to release a fix for this vulnerability and another closely related bug as soon as possible,” Oracle’s Eric P. Maurice wrote in the company’s advisory today.
Both vulnerabilities are remotely exploitable and were given Oracle’s highest criticality score.
“Both vulnerabilities affect the 2D component of Java SE. These vulnerabilities are not applicable to Java running on servers, standalone Java desktop applications or embedded Java applications,” Oracle’s Maurice wrote. “They also do not affect Oracle server-based software.”
The news of the release of Java 7 Update 17 came hours after reports surfaced that additional vulnerabilities in Java were discovered by researchers at Security Explorations of Poland. That firm said it has reported seven Java vulnerabilities to Oracle since Feb. 25, none of which were addressed intoday’s update.
Researcher Adam Gowdiak found a handful of new vulnerabilities related to the Java Reflection API that would allow an attacker to bypass the Java security sandbox. Gowdiak reported two bugs on Feb. 25, one of which Oracle confirmed as a vulnerability, the other it refused to, calling it “allowed behavior,” the researcher said.
Gowdiak said his company provided Oracle with code samples proving the “allowed behavior” is not allowed in Java SE.
“The codes we delivered to Oracle trigger real security exceptions in a response to the attempt to gain same access as the one abused by Issue 54,” he told Threatpost. “We’ve also found evidence in Oracle’s own Java SE docs that contradicts the company’s claims.”