Oracle released Java Standard Edition Update 11 on Sunday, less than a week after news first broke that cyber criminals had woven exploit code for the security hole into push button “exploit kits” that are for sale in the cyber underground. The update fixes CVE-20130-0422, and Oracle urged Java users to apply the update as soon as possible.
Java technology powers billions of laptop and desktop computers, as well as smart phones and embedded devices. However, the platform has been the subject of repeated, critical security holes. Most recently, in August, Oracle was forced to rush out a similar update – Java Standard Edition Update 10 – in the face of similar attacks on another security hole.
Attacks using the exploit were reported to be served from both cyber-criminal controlled attack sites and from legitimate web sites and ad networks, making it difficult for web users to protect themselves.
The provenance of the latest security hole isn’t known. Researchers at Kaspersky Lab noted a spike in Java exploits starting on January 9, though the company said the exploit may have been circulating as early as mid – December. By last week, the exploit had been melded with almost every major exploit kit, including Black Hole, RedKit, and Nuclear Exploit Kits.
The string of serious holes has prompted many security experts to recommend that web users disable Java in their browsers, altogether. The U.S. Computer Emergency Readiness Team (US-CERT) urged computer users to disable Java. Apple Computer added Java SE Update 10 to its list of blacklisted software to protect users of its Mac operating system.
Applying the latest update will protect users from exploits of the latest vulnerability.