In addition to the exploit, which leverages a recently patched bug, a researcher has discovered a fresh vulnerability in the newly minted version of Java SE.
Mark Reinhold, the chief architect of the Java platform group, announced the delay late last week.
An improved notification system will help protect users from running risky applications from untrusted sources.
The company apparently was able to distribute a fix so quickly because it actually learned of this vulnerability on Feb. 1, but wasn't able to include a patch in the Feb. 19 update to Java.
Responding to a widening outbreak of Java malware, Oracle on Sunday dispensed an urgent fix for the latest version of the software platform.
Kaspersky researchers have detected that distribution of the exploit is at least in the thousands, with the majority of impacted users located in the U.S., Russia and Germany.
The vulnerability already has been added to commercially available attack toolkits, such as BlackHole and Nuclear Pack.
One day after Oracle released a massive security update, which included fixes for a number of Java vulnerabilities, Apple shipped its own update for Java for Mac OS X.
The latest flaw affecting Java SE could allow an attacker to take over machines through a complete security sandbox bypass. But, so far, there have been no reports of active exploits.
Researchers believe the Nitro crime gang, also behind Oracle's Java zero-day exploit, launched recent attacks through a vulnerability in Internet Explorer 9 and earlier versions.
Security firm Security Explorations discovered the new vulnerability, which, when combined with other still-unpatched weaknesses in Java, could allow for a complete bypass of the Java Virtual Machine sandbox in the environment of the latest Java SE software.
Apple has released Java updates to patch vulnerabilities in Mac OS X Lion, Mountain Lion and Snow Leopard.
Hours after the company that maintains Java released a much-anticipated patch for a widespread malware attack, Polish firm Security Explorations said it discovered a new vulnerability in the software platform.
Patch alert: In a rare, if not unprecedented, move, Oracle on Thursday issued an out-of-cycle patch for gaping holes in Java 7 that have been widely exploited to spread malware.
In light of the fast-spreading Java 7 exploit, Mozilla has become the first browser maker to suggest users disable Java functionality.
As expected, exploits taking advantage of gaping holes in Java now are growing in prominence -- and the big question is: When will Oracle patch the issue?
A new Java exploit is expected to become more widespread now that proof-of-concept code has been published. Oracle isn't scheduled to update Java until October.
Detection rates for exploits against the vulnerability (CVE-2012-1723) are now overtaking attacks abusing a previous widely attacked Java bug (CVE-2012-0507), which was used to spread the widespread Flashback trojan that targeted Mac users.
A researcher investigated Java exploits, and drew on one well-know example, to explain how one of the most common classes of attack spreads.
The commercially available and automated BlackHole exploit kit has been updated to include exploit functionality for a recently patched Java vulnerability, and attacks are now happening in the wild.
Traditionally, Apple has taken some time to release updates for its own version of third-party software. But that may be changing if Tuesday's concurrent patches for Java are any guide.
A host of websites, including the U.S.-based Center for Defense Information, have been compromised with malicious code in order to target and infect visitors.
Sign up to our newsletters
SC Magazine Articles
- CTB-Locker ransomware variant being distributed in spam campaign
- 'Sexy Girls' wallpaper app in Google Play store accessed account info
- Proposed CFAA revisions agitate IT security community
- New attack uses ransomware to drop trojans and keyloggers
- Firm finds link between Regin spy tool and QWERTY keylogger
- Zeus variant targeting Canadian banks, U.S. banks may also be a target
- Winnti trojan may help set stage for Skeleton Key attacks, analysts say
- FTC settles with revenge porn site operator
- Upatre, Dyre used in Univ. of Florida attack
- Wisconsin chiropractic clinic notifies 3,000 patients of insider breach