Oracle has released Java SE 7u17 with emergency security updates that resolves two vulnerabilities affecting Java running in web browsers. This update addresses security issues CVE-2013-1493 and CVE2013-0809, both of which are affecting Java running in web browsers. These vulnerabilities may be remotely exploitable without the need for a username or password. “Both vulnerabilities affect the 2D component of Java SE. These vulnerabilities are not applicable to Java running on servers, standalone Java desktop applications or embedded Java applications. They also do not affect Oracle server-based software,” said the company.
The reported exploitation of CVE-2013-1493 “in the wild” was recently received by Oracle. However, this bug—a Windows backdoor Trojan—was originally reported to Oracle on February 1, 2013, but it was too late to be included in the February release of the Critical Patch update for Java SE. Due to the reports of active exploitation of CVE-2013-1493, Oracle has issued this emergency security update ahead of the company’s intended April 16, 2013 Critical Patch Update for Java SE.
Descriptions of the two vulnerabilities resolved in the Java SE 7u17 software update are as follows:
- CVE-2013-1493 The color management (CMM) functionality in the 2D component in Oracle Java SE 7 Update 15 and earlier, 6 Update 41 and earlier, and 5.0 Update 40 and earlier allows remote attackers to execute arbitrary code or cause a denial of service (crash) via an image with crafted raster parameters, which triggers (1) an out-of-bounds read or (2) memory corruption in the JVM, as exploited in the wild in February 2013.
- CVE-2013-0809 Unspecified vulnerability in the 2D component in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 15 and earlier, 6 Update 41 and earlier, and 5.0 Update 40 and earlier allows remote attackers to execute arbitrary code via unknown vectors, a different vulnerability than CVE-2013-1493.
Oracle strongly recommends that all Java SE 7 users upgrade to this release. Mac users can go to Oracle’s website to download Java SE 7u17 as advised. Users running Java SE with a browser can download the latest release from Java.com.