Yet another Java zero-day flaw found

Less than a week after the latest zero-day flaw in Oracle's Java software was discovered, security researchers have discovered yet another bug that can allow attacks on computers.

 

The latest flaw, which researchers from FireEye dubbed the vulnerability YAJ0 - Yet Another Java Zero-Day, is already being exploited "in the wild."

 

"This post was intended to serve as a warning to the general public. We have notified Oracle and will continue to work with Oracle on this in-the-wild discovery. Since this exploit affects the latest Java 6u41 and Java 7u15 versions, we urge users to disable Java in your browser until a patch has been released; alternatively, set your Java security settings to 'High' and do not execute any unknown Java applets outside of your organization," it said.

 

It said the new zero-day vulnerability has been used to attack multiple customers, especially those whose browsers have Java v1.6 Update 41 and Java v1.7 Update 15 installed.

 

Unlike other popular Java vulnerabilities, it said this new vulnerability "leads to arbitrary memory read and write in JVM process."

 

Only last week, Poland-based Security Explorations said it had informed Oracle of another vulnerability.

 

Exploited in the wild

 

A separate article on PC Magazine said attackers are currently exploiting the new vulnerability in the wild.

 

"It's the same cat-and-mouse game we've seen with other companies. A zero-day is found, the company patches it, a new zero-day is found. Wash, rinse, and repeat," it noted (http://securitywatch.pcmag.com/none/308748-another-java-zero-day-found-dump-that-browser-plugin).

 

PC Mag added Oracle has released several emergency updates in the past year because the bugs have been so serious. — TJD, GMA News