Oracle has released its quarterly patch update, which includes fixes for nearly 200 vulnerabilities. The most notable bug fixed in this release is the Java zero day that’s been used in an ongoing attack campaign.
The massive release from Oracle has patches for a long list of products, but the Java vulnerabilities are the heart of the July update. There are more than two dozen patches for Java this quarter, at least one of which is being exploited actively.
“Also included in this Critical Patch Update are 25 fixes Oracle Java SE. 23 of these Java SE vulnerabilities are remotely exploitable without authentication. 16 of these Java SE fixes are for Java client-only, including one fix for the client installation of Java SE. 5 of the Java fixes are for client and server deployment. One fix is specific to the Mac platform,” Eric Maurice from Oracle said in a blog post.
“And 4 fixes are for JSSE client and server deployments. Please note that this Critical Patch Update also addresses a recently announced 0-day vulnerability (CVE-2015-2590), which was being reported as actively exploited in the wild.”
That vulnerability has been used in a cyberespionage operation that reportedly targets users in a United States defense contractor and military branches from other countries with spear phishing emails. When users click on a malicious URL in the emails, they attempt to use an exploit for the CVE-2015-2590 Java vulnerability.
This flaw is the first Java zero day found to be actively exploited in the wild in more than two years.
In addition to the 193 patches released yesterday, Oracle also reminded customers to install the patch pushed out in May for the so-called VENOM vulnerability in the QEMU virtual floppy disk controller.
“The vulnerable FDC code is included in various virtualization platforms and is used in some Oracle products. The vulnerability may be exploitable by an attacker who has access to an account on the guest operating system with privilege to access the FDC. The attacker may be able to send malicious code to the FDC that is executed in the context of the hypervisor process on the host operating system. This vulnerability is not remotely exploitable without authentication, i.e., may not be exploited over a network without the need for a username and password,” Oracle said in the out-of-band advisory it issued in May.