Oracle has finally acknowledged and acted on a zero-day Java exploit that has presented a serious risk to users of all Java-equipped internet browsers for the past week.
Recognising "three distinct but related vulnerabilities and one security-in-depth issue affecting Java running in desktop browsers", Eric Maurice, director of Oracle software security assurance, has posted a link to a Security Alert update for the Java 7 platform.
The three major vulnerabilities, which data security groups say can "do anything Java can do" once they take hold, have been given CVSS (common vulnerability scoring system, as developed by the FIRST security group) Base Scores of 10.0 – the maximum score available.
In the blog, Maurice admits: "If successfully exploited, these vulnerabilities can provide a malicious attacker the ability to plant discretionary binaries onto the compromised system, e.g. the vulnerabilities can be exploited to install malware, including Trojans, onto the targeted system."
Java users are advised to install the Security Alert patch "as soon as possible", due to the "high severity" of the vulnerabilities.
An update on Oracle's Technology Network page also adds that "successful exploits can impact the availability, integrity, and confidentiality of the user's system".
Discovered on Monday, and thought to be behind several attacks before and since, the exploit can hijack browsers and, worryingly, is being added to various publicly available exploit kits.
The two most high-profile vulnerabilities of what now appear to be three – one based on the sun.awt.SunToolkit class and the other on the getFields method – have been linked to the Nitro hacking group from China, which was believed to be behind an attack campaign in 2011 that infected nearly 50 chemical and defence companies with the PoisonIvy remote access malware.
Researchers believe Nitro has been carrying out attacks for over a week, with the Java vulnerabilities at the forefront of its efforts.