Another day, another Java security alert. In this case, Oracle has released Security Alert CVE-2013-1493, which highlights two vulnerabilities that are particular to Java in browsers. The patch for these issues was originally slated for release in April as part of Oracle’s Critical Patch Update for Java SE. Because the vulnerabilities are being exploited in the wild, however, the company has elected to push out the updates now.
According to Oracle, the two vulnerabilities do not pertain to Java on servers, standalone desktops applications, or embedded Java apps. One of the two issues is being actively exploited in the wild, however, used to install McRat on the victim’s computer. McRat is a trojan that downloads and executes other files.
Oracle urges users to download the update asap, which can be done most easily via auto-update, or by heading over to Java.com and grabbing it manually. In addition, the company reminds users that it recently changed Java’s security level to “High” to help fight against malicious activity. As such, users will need to give an applet permission to run, and need to use judgement when doing so.
In addition, Apple has rolled out an update for OS X 2013-002 that improves security, among other things. The update works by uninstalling the Java applet plug-in Apple provided across all browsers. When the user needs the applets, they’ll need to click “Missing plug-in,” which will take them to the latest Java applet plug-in version to download and install.