Late Monday, Oracle’s upstream swim continued with its fifth major update to Java this year for security fixes. Java 7 Update 15 provides two fixes for vulnerabilities being exploited in the wild today. Both vulnerabilities are remotely exploitable without user authentication, and both carry the highest possible CVSS (Common Vulnerabilities Scoring System) rating of 10.
“The company intended to include a fix for CVE-2013-1493 in the April 16, 2013 Critical Patch Update for Java SE (note that Oracle recently announced its intent to have an additional Java SE security release on this date in addition to those previously scheduled in June and October of 2013),” wrote Eric Maurice, Oracle’s director of software assurance, in a blog post. “However, in light of the reports of active exploitation of CVE-2013-1493, and in order to help maintain the security posture of all Java SE users, Oracle decided to release a fix for this vulnerability and another closely related bug as soon as possible through this Security Alert.”