Oracle has known about the latest Java vulnerability since April but is unlikely to patch the it until 12 October, leaving millions of web users at risk from cyber criminals.

Java 7 Exploitable vulnerability
Reuters

Oracle, the software giant behind the Java platform was made aware of the current CVE-2012-4681 vulnerability back in April but the American company isn't expected to issue a patch for this and other vulnerabilities until 12 October - when a scheduled update is due to be rolled out.

The latest vulnerability follows on from many other security problems with the platform, leading security researcher at F-Secure, Sean Sullivan to dub it the Perpetual Vulnerability Machine.

This news that Oracle knew about the vulnerability in April comes from Adam Gowdiak, CEO of Polish security firm Security Explorations, who spoke to PC World. He said his company reported this Java 7 vulnerability, along with 18 others, to Oracle on 2 April.

According to a status report received by Gowdiak on 23 August, Oracle was planning to fix the vulnerability in its October Critical Patch Update (CPU), together with the other Java 7 flaws reported by Security Explorations, Gowdiak said.

This means that it will have taken Oracle 191 days to fix a major flaw in the Java platform, leaving millions of users at risk.

Growing risk

And that risk is becoming more real, as security experts have now seen the exploit being used on a growing number of websites. Patrik Runald, director of security research at Websense, told Macworld that said his team had found more than 100 unique domains serving the Java exploit.

In contrast to Oracle's slow pace, cyber criminals looking to exploit this vulnerability acted quickly to take advantage of the vulnerability and spread malware quickly and easily.

According to Chester Wisniewski, writing on security company Sohpos' Naked Security blog, it took less than 12 hours from "the time the proof-of-concept for the latest Java zero-day vulnerabilities went public, for exploits of those vulnerabilities to be included in a commercial crimeware kit."

The crimeware kit he is talking about is Blackhole, which is one of the most popular of the commercial exploit kits available and is used by cyber criminals to automatically infect computers with malware when users visit malicious or compromised websites - in a method known in the industry as a drive-by download.

While this latest vulnerability only affects users on the Java 7 version of the software, the Blackhole Exploit Kit still contains an unpatched exploit for Java 6, meaning millions of more users are still at risk.

At risk

The exploit affects all major web browsers, including Internet Explorer, Chrome, Firefox, Safari and Opera as well as Windows and Mac OS computers.

There has been some confusion whether or not Macs are vulnerable to attacks, as the official version of Java distributed by Apple is Java 6 - which is not vulnerable to the new exploit.

However, Oracle has made Java 7 available to Mac users and if you have downloaded this, then your Mac will be vulnerable. According to Wisniewski, some Twitter users have noted that OS X users with Java 7 are being attacked, but the Blackhole kit is serving up Windows malware.

"I suppose this could be a blessing in disguise, as users are alerted to their insecure Java, but dodge the infection bullet. . . for now."

As well as showing up on more than 100 unique websites, the exploit is spreading elsewhere, as the RedKit Exploit Kit has now included it too, according to Russian blog Malware don't need coffee. However, unlike Blackhole, RedKit is not a widely used kit, initially appearing online in May of this year.

We've been in touch with Oracle's press office seeking confirmation of when the patch will be issued and when the company first found out about the vulnerability, but were told that any announcements would be made on the compnay's security blog.

How to disable Java

If you are worried that your PC or Mac might be in danger, then security expert Brian Krebs has some sound advice on his blog.