It was brought to the Internet’s attention on Monday that Java was susceptible to a pretty nasty exploit that could see a user’s PC infected with malware. It was later revealed this morning that Java knew about the exploit since April, but was holding off on a patch until the regularly scheduled update in October. Fortunately, the urgency of the situation has forced their hand.
Oracle issued a security alert today that addresses the three vulnerabilities that were discovered in Java back in April by Security Explorations. The vulnerability, if exploited, would allow a hacker to take control over a user’s computer and steal confidential information. It also had the potential to add any number of PCs to a botnet for other illegal actions.
Oracle’s security alert does give us a bit more information in regards to what versions of Java are affected. The previous reports said that it was only Java 7 that was affected, but Oracle says that Java 6 update 34 and before are also affected by the exploit.
Oracle has released updated versions of Java for developers and end users that patches the security holes. Developers can hit up Oracle’s developer site for the latest versions of the Java SDK and JRE 7/6 releases. End users can either download the newest version from Java’s Web site or just get it through automatic updates on the Windows platform.
It’s a relief that Oracle fixed this latest exploit so quickly. I, like a lot of other people, was concerned that Oracle would hold on updating Java until October. It’s pretty much a given, but everybody should go download the Java fix as soon as they can. System administrators should be especially hasty in applying the patch lest their entire network falls victim to an attack.