Oracle Releases Emergency Fix for Java Zero-day Exploit

In response to discovering that hackers were actively exploiting two vulnerabilities in Java running in Web browsers, Oracle has released an emergency patch that should deal with the problem. Oracle wrote that these vulnerabilities may be remotely exploitable without authentication, i.e., they may be exploited over a network without the need for a username and password. For an exploit to be successful, an unsuspecting user running an affected release in a browser must visit a malicious web page that leverages these vulnerabilities.

Hackers were recently found using one of the vulnerabilities to get into users' computers and install McRAT malware. Once installed, McRAT works to contact command, control servers, and copy itself into all files in Windows systems. Only days after scheduling its last zero-day vulnerability in February, Oracle found these two new exploits. Rather than wait to include the patch in its scheduled quarterly April update, Oracle issued the emergency patch yesterday.