Oracle has patched another previously unknown vulnerability which was actively being exploited to infect PCs.

Oracle Issues Fifth Java Update in Just Two Months
Oracle has issued five security patches for its Java platform in the last two months alone.

The emergency Java update comes just days after security firm FireEye revealed the new vulnerability in the browser plug-in, which it said was being actively exploited to attack multiple customers. The vulnerability allows hackers to download a piece of malware dubbed McRat.

This is the fifth time in the last two months that Oracle has had to update its software.

Users using the latest versions of the Java plug-in for their browser who visited a booby-trapped website would have the McRat Trojan downloaded in the background.

FireEye said the vulnerability affected Java 6 update 41 through Java 7 update 15, though admitted it was not a very reliable exploit, as it overwrote a large chunk of memory and crashed the Java Virtual Machine. However the company had observed it being successfully exploited and once installed, the malware tries to connect to a Command & Control server which Michael Mimoso on the Threat Post blog points out is the same one used in an attack on security company Bit9 last month.

In its advisory on the update, Oracle;s Eric P. Maurice said: "In light of the reports of active exploitation of CVE-2013-1493, and in order to help maintain the security posture of all Java SE users, Oracle decided to release a fix for this vulnerability and another closely related bug as soon as possible."

Informed

The company said it had been informed of the vulnerability on 1 February but it was too late to include the update with its 19 February Critical Patch Update for Java and hoped to sit on the problem until the next scheduled Java update on 16 April.

However the revelation that the flaw was being exploited forced Oracle's hand in the matter.

Java is seen by security experts as being a huge security risk and most, if not all, recommend that you switch it off and only use it in cases where it is absolutely necessary. In his advisory Maurice said the company is actively trying to improving this image:

"Oracle is committed to accelerating the release of security fixes for Java SE, particularly to help address the security-worthiness of Java running in browsers."

The Java 7 Update 17 was released only hours after further vulnerabilities were found by Security Explorations in Poland, who said it had reported seven Java vulnerabilities to Oracle since 25 February, none of which were address in this update.