Oracle rushes out yet another Java patch

Oracle has rushed out a patch to Java amid reports that yet another vulnerability is being exploited in the wild.

The latest version of Oracle’s software is now Java 7, Update 17 and Java 6, Update 43. This is only a week or so after Oracle released an additional updates to another critical patch at the end of February. This followed another which was released at the beginning of that month.

None of these fixed two recent vulnerabilities. These were given the Common Vulnerabilities and Exposures identifiers CVE-2013-1493 and CVE-2013-0809, with the former known to be abused by attackers.

Oracle’s director of software security assurance Eric Maurice wrote on the company’s security bog that reports of active exploitation of vulnerability CVE-2013-1493 were recently received and it was too late to be included in the February 19 release of the Critical Patch Update for Java SE.

After Oracle received reports of CVE-2013-1493 being exploited in the wild, it decided to immediately release another emergency patch rather than wait for the original 16 April Critical Patch Update for Java SE.

The vulnerability means that users who visit a malicious web page could leave their computers open to exploitation without the need for a username or password. The vulnerability only exists in Java applets.

Oracle is in one of those “damned if you do, damned if you don’t” situations. If it does not release a patch quickly then the likes of Apple will claim that the operating system is insecure and should not be used. If it does release a patch it is seen as proof that the software is buggy and risky.