Oracle has released its July 2015 Critical Patch Update that provides fixes for 193 security vulnerabilities, including a zero-day vulnerability recently discovered in Java. According to a post published on Oracle's blog, the update contains patches for a number of applications, such as Oracle Database, for which there are provided 10 security fixes including a patch for a vulnerability (CVE-2015-2629) that has received a CVSS Base Score of 9.0 for the Windows platform and 7.5 for Linux and Unix platforms.
Oracle Fusion Middleware, Oracle Hyperion, Oracle Enterprise, and eight other applications also received patches under this update. The computer technology corporation has also issued 25 fixes for Oracle Java SE. Among those vulnerabilities patched is a recently discovered zero-day vulnerability (CVE-2015-2590), which was reported to have been actively exploited in the wild. Recently, security threat analysts Brooks Li and Feike Hacquebord of TrendLabs wrote a blog post detailing how the attackers behind Operation Pawn Storm, a long-running APT campaign that began targeting the White House and members of the North Atlantic Treaty Organization (NATO) back in April 2015, have begun employing suspicious URLs that are hosting this particular zero-day bug.
"Once successfully exploited, it [the zero-day vulnerability] executes arbitrary code on the default Java settings thus compromising the security of the system," explains Li and Hacquebord. "Trend Micro detects the exploit code as JAVA_DLOADR.EFD. The file which Trend Micro detects as TROJ_DROPPR.CXC drops the payload, TSPY_FAKEMS.C to the login user folder."
Users are urged to update their Java versions and other Oracle-based applications as soon as possible.
"Oracle continues to periodically receive reports of malicious exploitation of vulnerabilities for which Oracle has already released fixes," reads the company's July 2015 Critical Patch Update. "In some instances, it has been reported that malicious attackers have been successful because customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes without delay."
This update arrives amidst a flurry of patches for both Microsoft and Adobe, the latter of which includes fixes for two zero-day security vulnerabilities discovered in Flash as part of last week’s Hacking Team leaks.