It's only March, but 2013 has not been a good year so far for Oracle Java security. On the negative side, Java has been repeatedly shamed and blamed for being at the root cause of big name exploits. On the positive side, Oracle is continuing to swim upstream issuing fixes as rapidly as it can.
Late Monday, Oracle's upstream swim continued with its fifth major update to Java this year for security fixes. Java 7 Update 15 provides two fixes for vulnerabilities being exploited in the wild today. Both vulnerabilities are remotely exploitable without user authentication, and both carry the highest possible CVSS (Common Vulnerabilities Scoring System) rating of 10.
"The company intended to include a fix for CVE-2013-1493 in the April 16, 2013 Critical Patch Update for Java SE (note that Oracle recently announced its intent to have an additional Java SE security release on this date in addition to those previously scheduled in June and October of 2013)," wrote Eric Maurice, Oracle's director of software assurance, in a blog post. "However, in light of the reports of active exploitation of CVE-2013-1493, and in order to help maintain the security posture of all Java SE users, Oracle decided to release a fix for this vulnerability and another closely related bug as soon as possible through this Security Alert."
The exploitation of cve-2013-1493 was reported on Feb. 28 by security vendor FireEye. The vulnerability enables an attacker to exploit memory and download a McRat trojan executable on a vulnerable device.
Even with the two new fixes, Java might yet still be at risk from reported but unfixed vulnerabilities. Security researcher Adam Gowdiak disclosed on the Full-Disclosure mailing list that he has submitted several issues to Oracle which remain unresolved.
Oracle has been aggressively moving to patch Java at a rapid rate in 2013.
In February alone, Oracle patched Java for at least 55 different flaws. The regularly scheduled Java Patch Update came out on Feb. 19 providing five fixes, though it followed a Feb. 1 update with 50 fixes. Oracle started off 2013 with the Java 7 update 11 (7u11) release fixing zero-day flaws that were also being exploited in the wild.
"Oracle is committed to accelerating the release of security fixes for Java SE, particularly to help address the security-worthiness of Java running in browsers," Maurice stated. "The quick release of this Security Alert, the higher number of Java SE fixes included in recent Critical Patch Updates, and the announcement of an additional security release date for Java SE (the April 16th Critical Patch Update for Java SE) are examples of this commitment."