(LiveHacking.Com) – Oracle has rushed out an emergency patch to address two Java vulnerabilities, one of which is being actively exploited by attackers to maliciously install the McRat malware onto victim’s PCs. Both vulnerabilities affect the 2D component of Java SE. Targeting Java running in the browser, these vulnerabilities are not applicable to Java running on servers, standalone Java desktop applications or embedded Java applications.
Security Alert CVE-2013-1493 patches Java to fix the vulnerabilities, which although were reported to Oracle on February 1st 2013, came too late to be included in February’s Critical Patch Update for Java SE. The fix had originally been planned for the April Critical Patch Update for Java SE, but since the vulnerabilities are being exploited in the wild, the company decided to release this out-of-band fix. The Java run-time environment (JRE) and the development kit (JDK) are affected for Java 5, Java 6 and Java 7.
“These vulnerabilities may be remotely exploitable without authentication, i.e., they may be exploited over a network without the need for a username and password. For an exploit to be successful, an unsuspecting user running an affected release in a browser must visit a malicious web page that leverages these vulnerabilities. Successful exploits can impact the availability, integrity, and confidentiality of the user’s system,” said Oracle in a statement.
Apple simultaneously released an update for Java on OS X. OS X 2013-002 and Java for Mac OS X v10.6 Update 14 are availble for Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7, OS X Lion Server v10.7, OS X Mountain Lion 10.8 or later.
According to Apple, “Multiple vulnerabilities existed in Java, the most serious of which may allow an untrusted Java applet to execute arbitrary code outside the Java sandbox.”
All users who don’t need to run Java in the browser should disable all Java plugins in all of the browsers on their PC or Mac. Also you should strongly considering removing Java completely from your machines.