Oracle Java 7 Update 15, Java 6 Update 41, Java 5.0 Update 40, and earlier versions contain a vulnerability that can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.
The Oracle Java Runtime Environment (JRE) allows users to run Java applications in a browser or as standalone programs. Oracle has made the JRE available for multiple operating systems. OpenJDK is an open-source implementation of the Java platform, and the IcedTea project aims to make it easier to deploy OpenJDK, including a web browser plugin.
Additional details of the vulnerability can be found at FireEye Malware Intelligence Lab blog post.
By convincing a user to visit a specially crafted HTML document, a remote attacker may be able to execute arbitrary code on a vulnerable system. Note that applications that use the Internet Explorer web content rendering components, such as Microsoft Office or Windows Desktop Search, may also be used as an attack vector for these vulnerabilities.
Apply an update
Disable Java in web browsers
Oracle credits the following people or organizations for reporting security vulnerabilities addressed by this Security Alert to Oracle: an Anonymous Reporter of TippingPoint's Zero Day Initiative; axtaxt viaTipping Point's Zero Day Initiative; Darien Kindlund of FireEye; Vitaliy Toropov via iDefense; and Vitaliy Toropov via TippingPoint.
This document was written by Michael Orlando.