This stuffs three serious security holes in Java SE 7, which are already actively attacked by web-based exploits. "Because of the severity of the vulnerabilities, Oracle recommends that customers apply this security alert as soon as possible, " writes Eric Maurice, Oracle's Director of Software Security Assurance, in a blog post.
Incidentally, the vulnerabilities only affect Java in the browser (which is why, for example, the BSI advised to disable the browser plug-ins for Java). Stand-alone Java applications on the desktop or server Java are not affected.
The vulnerabilities had become known last weekend and, according to a report by The Register, they were quickly introduced to the malware toolkit "Blackhole" and the penetration testing tool "Metasploit".spoods.de
On Wednesday, Adam Gowdiak of the Polish company Security Explorations said that Oracle had already been informed about the three mentioned and 29 further security vulnerabilities in April this year. Oracle did not get the corresponding fixes in time for the Critical Patch Update (CPU) in June.
However, the next CPU is only scheduled for the 16th of October. Now that the security breaches have received a lot of public attention, Oracle has apparently been forced to bring out a rare update out of line.
According to Maurice, Java users on Windows receive the patched version of Java SE 7 Update 7 via the automatic update function. End users on other platforms can download and install them from http://java.com; Developers will find the latest version as usual at OTN.