Oracle patches widespread Java zero-day bug in three days (Updated)

Earlier this week, a security hole in the latest version of Java was being "massively exploited in the wild." Hackers were turning compromised websites into platforms for installing silent keyloggers or other malicious software. And at the time news broke, even fully patched Java installations were at risk.

Today however, KrebsOnSecurity reporter Brian Krebs is reporting Oracle finally shipped its critical security update. Java 7 Update 11 fixes this sticky situation and it's available both via Oracle’s website and through the Java Control Panel in an active program.

Krebs reports this update changes the way Java handles Web applications. From the company's advisory:

Read 2 remaining paragraphs | Comments

Additional Protection for Recent Java Zero-Day

Security Response recently blogged about the Java zero-day that is active in the wild and being distributed by the Cool Exploit Kit. In addition to Cool Exploit Kit, we are aware that several other major exploit kits such as Blackhole, Redkit, and Impact are also equipped to exploit this unpatched vulnerability.

Symantec Security Response is currently detecting JAR files served up by the various exploit kits as Trojan.Maljava and we have further protection in place with Trojan.Maljava!gen26.

Additionally, Symantec has released the following IPS signatures to proactively block the malicious JAR files and associated exploit attempts:

By blocking the JAR files containing the exploit, downloading and execution of additional malicious files will not occur.

Our in-field telemetry shows IPS technology is blocking about 300,000 exploit kit attacks every day. The following heat map based on IPS detections for this exploit shows geographic distribution over the past week:


The United States Department of Homeland Security advised users to disable Java in their browsers until a patch is released for the vulnerability.

Update [January 13, 2012]Oracle has just released the patch and Symantec strongly urges all users of Java to download and install this patch as soon as possible. Oracle has also provided a blog for further details on the vulnerability.