After critics and experts lambasted it for several days due to lack of action, Oracle announces Thursday that it is releasing an emergency update for its hugely popular Java software to prevent it from being used as a door for criminals to access machines of end users.
According to reports, Oracle became aware of the bug more than four months ago, but refused to act by releasing an unscheduled update until Thursday. The latest update is designed for Java Standard Edition 7 although it is also releasing an update for Standard Edition 6. The vulnerability discovered by researchers reportedly only works for version 7, not for older version 6 and below.
Although crucial bugs are inevitable for a complex software like Java, Oracle has been targeted by experts and critics alike because it never did something since the issue has circulated around web for a long time. The company simply chose to turn a deaf ear and its representatives did not respond to any requests for comments. Java users were only informed when the update was released on Thursday.
The update fixes vulnerabilities labeled as CVE-2012-4681 and at least two other known issues. The company’s blog credited the Poland-based Security Explorations expert Adam Gowdiak after he informed Oracle of the problem way back April.
Known criminal groups are using the exploit in the wild and has already infected websites, which are instrumental in spreading malwares to Windows machines. One of the said groups is called Nitro Gang, which got its name from past attacks targeting companies dealing with chemicals. The group was said to have used the exploit to install Poison Ivy malware, also known as Backdoor Darkmoon, on computers running Windows around the world.
Experts critical of Java have been preaching for several years now that if the software is not needed, users should uninstall them. While some websites need Java to run properly on end user’s computers, most of the sites on the internet can work very well without it. Removing the software significantly decreases the chance of a computer getting hacked they claim.