Oracle, stressed by the new Java 0day discovered exploited in the wild, seem to have release new updates for Java 7, Java 6 and Java 5. Java 7 is updated to version 1.7.0_17, Java 6 is updated to version 1.6.0_43 and Java 5 is updated to version 1.5.0_41.
These update are pushed an “Oracle Security Alert for CVE-2013-1493” who fix CVE-2013-1493 vulnerability related to the Java 0day, but also another vulnerability, aka CVE-2013-0809, affecting Java running in web browsers. Both vulnerabilities have a CVSS base score of 10.0 and are remotely exploitable without authentication.
Vulnerabilities are credited to an anonymous Reporter of TippingPoint’s Zero Day Initiative, axtaxt via Tipping Point’s Zero Day Initiative, Darien Kindlund of FireEye, Vitaliy Toropov via iDefense and to Vitaliy Toropov via TippingPoint. As you may remember, CVE-2013-1493 was discovered exploited in the wild by FireEye, but it seem that this vulnerability was also previously discovered by a security researcher working with 0day brokers. It is not the first time that we see 0days exploited in the wild, previously reported to 0day brokers !
Also, Security Explorations, a security firm responsible for identifying most of the latest Java vulnerabilities, is not credited for any of the patched vulnerabilities. So they are still bunch off reported vulnerabilities in Java.
Last but not least, Security Explorations has report, today, five new security issues for Java 7 who can be used to gain a complete Java security sandbox bypass in the environmentof Java SE 7 Update 15.