Late last week, Oracle released an emergency Java update to cover security holes in the Java Runtime Environment. These holes allow malicious hackers to download and run arbitrary code on vulnerable computers.
You can read Oracle's security advisory yourself. You can also go here for additional information about the security issues, the products affected, and what you need to do to fix it. The latter advisory contains the following line: “Due to the severity of these vulnerabilities, the public disclosure of technical details and the reported exploitation of CVE-2012-4681 'in the wild,' Oracle strongly recommends that customers apply the updates provided by this Security Alert as soon as possible.”
The root of the security issue involves two flaws in JRE 1.7. Attackers can join these weaknesses together to force the Poison Ivy Remote Access Tool (RAT) into victims' computers. The patch Oracle released addresses “three distinct but related vulnerabilities and one security-in-depth issue” that concerns Java running within a browser, according to a blog post from Oracle.
It's worth noting that these security issues don't apply to standalone Java desktop applications or Java running on servers; no Oracle-based server software contains these vulnerabilities. Software that IS vulnerable, however, includes Java applications accessed through a browser using plug-ins.
If you don't use Java on your machine, or don't need it, the United States Computer Emergency Readiness Team (US CERT) advises you to disable your browser's Java plug-in, and even uninstall Java entirely. If you don't know how to do that, Security Watch offers step-by-step instructions. As Fahmida Y. Rashid, reporting on the security issue for PC Magazine notes, “Why give attackers a potential avenue of attack if it's not necessary?”
It's worth noting that relatively few consumer-focused websites require Java these days. If a user doesn't visit such sites, he or she does not need to have the Java plug-in enabled in the browser. Indeed, users can leave the plug-in disabled entirely unless and until they find a particular website that requires it.
Despite the fact that Oracle was relatively quick on the trigger for this security patch – the exploit existed in the wild for less than a week before the company released a fix – some observers still criticized its approach. Andrew Storms, director of security operations at nCircle, for example, called it a “complete security communication fail on Oracle's part.” He complained that the company included very little information in the patch's release notes, and that they did not communicate that a patch was coming for nearly the entire four days between the time security exploits were spotted in the wild and the time the patch was released.
Oracle has improved some, however. It's rare for the software company to release a security patch at some time other than its normally scheduled cycle for its Critical Patch Updates. While it did so in this case – probably because the risk was so severe – Oracle still has a long way to go to make its security-conscious users truly happy.