In response to discovering that hackers were actively exploiting two vulnerabilities in Java running in Web browsers, Oracle has released an emergency patch that it says should deal with the problem.
"These vulnerabilities may be remotely exploitable without authentication, i.e., they may be exploited over a network without the need for a username and password," Oracle wrote in a security alert today. "For an exploit to be successful, an unsuspecting user running an affected release in a browser must visit a malicious web page that leverages these vulnerabilities. Successful exploits can impact the availability, integrity, and confidentiality of the user's system."
Hackers were recently found using one of the vulnerabilities to get into users' computers and install McRAT malware. Once installed, McRAT works to contact command, control servers, and copy itself into all files in Windows systems.
Only days after scheduling its last zero-day vulnerability in February, Oracle found these two new exploits. Rather than wait to include the patch in its scheduled quarterly April update, Oracle issued the emergency patch today.
"In order to help maintain the security posture of all Java SE users, Oracle decided to release a fix for this vulnerability and another closely related bug as soon as possible," Oracle software security assurance director Eric Maurice wrote in a blog post today.
In January, Apple blocked Java from some of its Macs using its XProtect antimalware tool -- citing security vulnerabilities. The U.S. Department of Homeland Security also announced in January that computer users should disable Java on their Web browsers saying that unpatched vulnerabilities could still possibly be out there.
According to Oracle, the most recent vulnerabilities are only applicable to Java running in Web browsers -- they don't affect Java running on servers, standalone Java desktop applications, or embedded Java applications. They also do not affect Oracle server-based software.
Users can install and update their Java software by going to the Java Web site or through the Java auto update.