Oracle Releases Emergency Patch for Java Vulnerability


After informing a researcher just a few days ago that “they do not consider this vulnerability to be of high enough priority to break their quarterly patch cycle” they have made a 180 turn on the issue and pushed out an emergency patch to mitigate against the Serious Java Bug That Exposes Users To Code Execution.

They fell under heavy criticism after their statement as it was demonstrated by multiple people that the vulnerability was fairly trivial to exploit and could cause some serious damage.

I’m glad to see they took the proactive step of understanding the vulnerability and pushing out a patch. I just wish they would fix the way in which Java manages updates (multiple redundant copies of the software with minor differences).

Under criticism for not patching a critical vulnerability in its recently acquired Java virtual machine, Oracle on Thursday released an emergency update that eliminates the zero-day threat.

Functionality in the Java Web Start component made it trivial for attackers to remotely execute malicious code on end-user machines. Tavis Ormandy, one of the researchers who first discovered the threat, said he alerted Java handlers inside Oracle’s Sun division, but they decided no patch was necessary before the next update release scheduled for July.

It would appear that Oracle officials had a change of heart. On early Thursday, they pushed out Java 6, update 20, which makes changes to the Java Network Launch Protocol, according to release notes. The JNLP is closely associated with Java Web Start, which makes it easy for end users to install custom libraries needed to run Java applications.

Java 6, Update 20 is now publicly available and seems at least in part to fix the issue. I guess we’ll have to wait until next week when researchers have had some time to do more extensive testing to see if the issue is actually properly fixed.

There are unconfirmed reports however that the patch doesn’t completely eliminate the vulnerability. I wouldn’t be surprised if it’s not totally fixed, but I’ll be happy to see it is. But then from the report it only effects the way in which the Firefox plugin deals with the update so the majority (IE users) should be safe.

There are unconfirmed reports that the patch doesn’t completely eliminate the threat, most notably in this Google translation of a report from Heise. A researcher who asked not to be named said there may be upgrade problems with the npapi plugin used by Firefox that may leave a stale version behind. Internet Explorer should be safe, however.

The out-of-cycle update is a smart move, but Oracle still has unfinished work to make Java patching more seamless. First, Java needs to stop flogging the Yahoo Toolbar each time an update is available. Patches are about security, not marketing the unwanted bloat of partners.

Another gripe we’ve long had about Java updates is that they reset some default settings. A case in point: If you have Java configured to check for updates daily, instead of monthly as the program does by default, you’ll have to reset that preference each and every time you update. That means it could take a full 30 days to get critical security patches like the one released Thursday.

I have to agree with the comments about the Java updates, I just noticed a few days ago my Firefox had about 15 Java add-ons from all the previous versions of the JVM. Why can’t it just upgrade over the existing version like every other sane piece of software does?

Anyway it’s a good move by Oracle and I hope more companies follow suit by taking security issues seriously and dealing with them in a timely fashion.

Source: The Register

Posted in: Countermeasures, Exploits/Vulnerabilities, Secure Coding

, , , , ,


Latest Posts:


APT-Hunter - Threat Hunting Tool via Windows Event Log APT-Hunter – Threat Hunting Tool via Windows Event Log
APT-Hunter is a threat hunting tool for windows event logs made from the perspective of the purple team mindset to provide detection for APT movements hidden in the sea of windows event logs.
GitLab Watchman - Audit Gitlab For Sensitive Data & Credentials GitLab Watchman – Audit Gitlab For Sensitive Data & Credentials
GitLab Watchman is an app that uses the GitLab API to audit GitLab for sensitive data and credentials exposed internally, this includes code, commits, wikis etc
GKE Auditor - Detect Google Kubernetes Engine Misconfigurations GKE Auditor – Detect Google Kubernetes Engine Misconfigurations
GKE Auditor is a Java-based tool to detect Google Kubernetes Engine misconfigurations, it aims to help security & dev teams streamline the configuration process
zANTI - Android Wireless Hacking Tool Free Download zANTI – Android Wireless Hacking Tool Free Download
zANTI is an Android Wireless Hacking Tool that functions as a mobile penetration testing toolkit that lets you assess the risk level of a network using mobile.
HELK - Open Source Threat Hunting Platform HELK – Open Source Threat Hunting Platform
The Hunting ELK or simply the HELK is an Open-Source Threat Hunting Platform with advanced analytics capabilities such as SQL declarative language, graphing etc
trape - OSINT Analysis Tool For People Tracking Trape – OSINT Analysis Tool For People Tracking
Trape is an OSINT analysis tool, which allows people to track and execute intelligent social engineering attacks in real-time.


Comments are closed.