(LiveHacking.Com) – In a surprise move, which security researchers hoped for – but dared believe it would happen, Oracle has released an out-of-band update to Java to fix several security vulnerabilities which are being exploited in the wild. The update addresses security issues CVE-2012-4681 (US-CERT Alert TA12-240A and Vulnerability Note VU#636312) and two other vulnerabilities (CVE-2012-3136, and CVE-2012-0547) affecting Java running in web browsers on desktops.
These vulnerabilities, which are not applicable to Java running on servers or standalone Java desktop applications, can be exploited remotely without authentication. The exploit happens when an unsuspecting user visits a malicious web page designed to leverages the vulnerabilities. Upon successful exploitation the attackers can run arbitrary code on the victim’s computer.
“If successfully exploited, these vulnerabilities can provide a malicious attacker the ability to plant discretionary binaries onto the compromised system, e.g. the vulnerabilities can be exploited to install malware, including Trojans, onto the targeted system,” wrote Oracle’s Eric P. Maurice in a blog post.
Due to the severity of these vulnerabilities, the public disclosure of technical details and the reported exploitation of CVE-2012-4681 “in the wild,” Oracle strongly recommends that customers apply the updates provided by this Security Alert as soon as possible.
Users can download Java 7 Update 7 for Windows, Linux, Mac OS X, Solaris x86 and Solaris SPARC. The update is available in 32-bit and 64-bit versions for all platforms except OS X which is 64-bit only. New versions of the Java SE Development Kit are with the updated Java runtimes are also available.