Further problems foreseen for Oracle’s Java

It’s been something of a bad start to the year for Oracle and it doesn’t look likely that it’ll be getting any better any time soon.  Security firm FireEye has uncovered yet another zero-day exploit affecting Oracle’s Java software adding to a long list of flaws that have already been discovered.
Researchers from FireEye say that the vulnerability has already been used to ‘attack multiple customers’ and can be exploited in browsers that have Java v1.6 Update 41 or Java v1.7 Update 15 installed – the latest, supposedly patched, versions of the plug-in.  FireEye warns that this newest flaw is being used to install a remote-access Trojan called McRat and says that it’s a different exploit to the one that caused major security breaches at Facebook, Apple and Twitter recently. McRat is a Windows Trojan and so, although it’s unclear so far whether the flaw affects only Windows or whether computers that run on Linux and Mac OS X are also susceptible, the ‘in the wild’ attacks are only specifically targeting Windows users.
Java’s last update was applied on 19th February and despite being a scheduled release that only targeted 5 security flaws, it followed an emergency update that patched 50 vulnerabilities.  The bad news for everyone that applied these updates hoping that their worries would disappear is that security researchers from Kaspersky Lab last week claimed that the exploit worked in the most recent update of Java (Update 15) but appeared to fail in older ones – such as Update 10.  The only positive news that FireEye is able to offer is that the exploit doesn’t seem to be very reliable as it tries to overwrite large chunks of memory and often ends up causing a Java Virtual Machine crash.
In case you're reading this now on a Java-enabled browser, the current advice is to uninstall or disable Java or set your security settings to ‘High’ when you need to use it. If you’re concerned about online security more generally, then investing in a VPN service will give you an extra level of protection. If your VPN is enabled while you browse the internet, your system is less likely to be exploited by hackers.