After informing a researcher just a few days ago that “they do not consider this vulnerability to be of high enough priority to break their quarterly patch cycle” they have made a 180 turn on the issue and pushed out an emergency patch to mitigate against the Serious Java Bug That Exposes Users To Code Execution.
They fell under heavy criticism after their statement as it was demonstrated by multiple people that the vulnerability was fairly trivial to exploit and could cause some serious damage.
I’m glad to see they took the proactive step of understanding the vulnerability and pushing out a patch. I just wish they would fix the way in which Java manages updates (multiple redundant copies of the software with minor differences).
Under criticism for not patching a critical vulnerability in its recently acquired Java virtual machine, Oracle on Thursday released an emergency update that eliminates the zero-day threat.
Functionality in the Java Web Start component made it trivial for attackers to remotely execute malicious code on end-user machines. Tavis Ormandy, one of the researchers who first discovered the threat, said he alerted Java handlers inside Oracle’s Sun division, but they decided no patch was necessary before the next update release scheduled for July.
It would appear that Oracle officials had a change of heart. On early Thursday, they pushed out Java 6, update 20, which makes changes to the Java Network Launch Protocol, according to release notes. The JNLP is closely associated with Java Web Start, which makes it easy for end users to install custom libraries needed to run Java applications.
Java 6, Update 20 is now publicly available and seems at least in part to fix the issue. I guess we’ll have to wait until next week when researchers have had some time to do more extensive testing to see if the issue is actually properly fixed.
There are unconfirmed reports however that the patch doesn’t completely eliminate the vulnerability. I wouldn’t be surprised if it’s not totally fixed, but I’ll be happy to see it is. But then from the report it only effects the way in which the Firefox plugin deals with the update so the majority (IE users) should be safe.
There are unconfirmed reports that the patch doesn’t completely eliminate the threat, most notably in this Google translation of a report from Heise. A researcher who asked not to be named said there may be upgrade problems with the npapi plugin used by Firefox that may leave a stale version behind. Internet Explorer should be safe, however.
The out-of-cycle update is a smart move, but Oracle still has unfinished work to make Java patching more seamless. First, Java needs to stop flogging the Yahoo Toolbar each time an update is available. Patches are about security, not marketing the unwanted bloat of partners.
Another gripe we’ve long had about Java updates is that they reset some default settings. A case in point: If you have Java configured to check for updates daily, instead of monthly as the program does by default, you’ll have to reset that preference each and every time you update. That means it could take a full 30 days to get critical security patches like the one released Thursday.
I have to agree with the comments about the Java updates, I just noticed a few days ago my Firefox had about 15 Java add-ons from all the previous versions of the JVM. Why can’t it just upgrade over the existing version like every other sane piece of software does?
Anyway it’s a good move by Oracle and I hope more companies follow suit by taking security issues seriously and dealing with them in a timely fashion.
Source: The Register