A zero-day vulnerability affecting sandboxed Java Web Start applications and sandboxed Java applets was recently announced, the first one for Java in two years. Concerns that the vulnerability is already being exploited, together with the ease of exploitation, gave this vulnerability the highest CVSS risk score. Oracle has issued a patch and urges customers to upgrade as soon as possible.

The vulnerability, identified as CVE-2015-2590, was discovered by Trend Micro’s Smart Protection Network after analysing a number of emails targeting a NATO member and a US defence organisation. The emails contained links that pointed to websites with Java applets that exploited the aforementioned vulnerability, which allowed the execution of remote code in the victim’s computer.

It is important to know that the vulnerability doesn’t affect the entire Java runtime, only Java Web Start applications and Java applets. Server deployments, or even client deployments that run Java applications locally, aren’t affected. This means that users that don’t navigate to websites containing this sort of applications wouldn’t be at risk. For those who do, Oracle identified two levels of risk depending on the profile of the user.

Since the exploit allows for code to be executed by the running user, the impact of the exploit differs depending on this user having administrator privileges or not. In Linux and Solaris systems, and in Windows systems like Windows Vista or later, the user typically doesn’t have administrator privileges (in Windows Vista and later the user may have such privileges, but an explicit confirmation is needed to enter elevated mode); for these cases, Oracle’s CVSS score is 7.5 out of 10. However, systems like Windows XP, which is still used by a significant proportion of users, typically grant administrator privileges to standard users, which makes them particularly vulnerable to the remote execution of code. It is for this kind of profile that Oracle has assigned a score of 10 out of 10.

Oracle released a fix for this vulnerability as part of their scheduled CPU, or Critical Patch Update, on 14th July. CPUs are released quarterly and contain fixes for vulnerabilities fixed during the previous quarter. The fix was released as apart of the scheduled upgrade probably due to the proximity of the dates between the discovery of the vulnerability and the scheduled update; should the vulnerability have been discovered at a different time it is likely that Oracle would have released an unscheduled Security Alert update, as it happened with vulnerability CVE-2013-1493.