0 to fixed in 3 days —

Oracle patches widespread Java zero-day bug in three days (Updated)

Bug helped hackers install silent keyloggers, other malicious software on sites.

Earlier this week, a security hole in the latest version of Java was being "massively exploited in the wild." Hackers were turning compromised websites into platforms for installing silent keyloggers or other malicious software. And at the time news broke, even fully patched Java installations were at risk.

Today however, KrebsOnSecurity reporter Brian Krebs is reporting Oracle finally shipped its critical security update. Java 7 Update 11 fixes this sticky situation and it's available both via Oracle’s website and through the Java Control Panel in an active program.

Krebs reports this update changes the way Java handles Web applications. From the company's advisory:

“The default security level for Java applets and Web start applications has been increased from 'Medium' to 'High.' This affects the conditions under which unsigned (sandboxed) Java Web applications can run. Previously, as long as you had the latest secure Java release installed applets and Web start applications would continue to run as always. With the 'High' setting the user is always warned before any unsigned application is run to prevent silent exploitation.”

As Krebs acknowledges, it's nice that Oracle acted so quickly in the face of such an attack. However, the rule with Java remains: if the program isn't absolutely necessary to your day-to-day, the safest route is avoiding it entirely.

Update: On Sunday evening, Microsoft issued an advance notification to customers that on January 14 at 10:00 a.m. PST, the company would "release an out-of-band security update to fully address the issue described in Security Advisory 2794220." This separate security, emergency security update should address a vulnerability in Internet Explorer that could've allowed remote code execution.

Channel Ars Technica