First Zero-Day Java Vulnerability in Two Years

| by Abraham Marín Pérez Follow 8 Followers on Aug 08, 2015. Estimated reading time: 2 minutes |

A zero-day vulnerability affecting sandboxed Java Web Start applications and sandboxed Java applets was recently announced, the first one for Java in two years. Concerns that the vulnerability is already being exploited, together with the ease of exploitation, gave this vulnerability the highest CVSS risk score. Oracle has issued a patch and urges customers to upgrade as soon as possible.

The vulnerability, identified as CVE-2015-2590, was discovered by Trend Micro’s Smart Protection Network after analysing a number of emails targeting a NATO member and a US defence organisation. The emails contained links that pointed to websites with Java applets that exploited the aforementioned vulnerability, which allowed the execution of remote code in the victim’s computer.

It is important to know that the vulnerability doesn’t affect the entire Java runtime, only Java Web Start applications and Java applets. Server deployments, or even client deployments that run Java applications locally, aren’t affected. This means that users that don’t navigate to websites containing this sort of applications wouldn’t be at risk. For those who do, Oracle identified two levels of risk depending on the profile of the user.

Since the exploit allows for code to be executed by the running user, the impact of the exploit differs depending on this user having administrator privileges or not. In Linux and Solaris systems, and in Windows systems like Windows Vista or later, the user typically doesn’t have administrator privileges (in Windows Vista and later the user may have such privileges, but an explicit confirmation is needed to enter elevated mode); for these cases, Oracle’s CVSS score is 7.5 out of 10. However, systems like Windows XP, which is still used by a significant proportion of users, typically grant administrator privileges to standard users, which makes them particularly vulnerable to the remote execution of code. It is for this kind of profile that Oracle has assigned a score of 10 out of 10.

Oracle released a fix for this vulnerability as part of their scheduled CPU, or Critical Patch Update, on 14th July. CPUs are released quarterly and contain fixes for vulnerabilities fixed during the previous quarter. The fix was released as apart of the scheduled upgrade probably due to the proximity of the dates between the discovery of the vulnerability and the scheduled update; should the vulnerability have been discovered at a different time it is likely that Oracle would have released an unscheduled Security Alert update, as it happened with vulnerability CVE-2013-1493.

Rate this Article

Adoption Stage

Hello stranger!

You need to Register an InfoQ account or or login to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Tell us what you think

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread
Community comments

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread


Login to InfoQ to interact with what matters most to you.

Recover your password...


Follow your favorite topics and editors

Quick overview of most important highlights in the industry and on the site.


More signal, less noise

Build your own feed by choosing topics you want to read about and editors you want to hear from.


Stay up-to-date

Set up your notifications and don't miss out on content that matters to you