Oracle has issued a security update for the Java runtime environment to address ‘zero day’ vulnerabilities exposed earlier this week.
The company is encouraging users to install the patched version as soon as possible. "Oracle recommends that organisations apply this Security Alert as soon as possible because the technical details of this vulnerability have been very widely disclosed and one can easily find sample exploit code over the Internet," it said.
Oracle confirmed reports that the vulnerabilities, which only affect browser-based Java installations, could be used to install malware remotely. "If successfully exploited, these vulnerabilities can provide a malicious attacker the ability to plant discretionary binaries onto the compromised system, e.g. the vulnerabilities can be exploited to install malware, including Trojans, onto the targeted system," it said.
Earlier this week, security company FireEye reported that it had discovered targetted attacks exploiting the flaw "in the wild". Once details of the exploit were publicised, FireEye claimed it had detected "a dozen domains actively attacking systems with this exploit, and the count is increasing rapidly".
In announcing the patch, Oracle criticisted the publication of details of the exploit. ‘It is unfortunate when the technical details of a security vulnerability are disclosed before a fix could be made available, especially when the disruption resulting from having to deal with an unplanned patch, and the amount of time required by customers to apply the patch, may yield less of a security posture improvement than other security efforts, such as ongoing hardening and auditing".