BETA
This is a BETA experience. You may opt-out by clicking here

More From Forbes

Edit Story

Oracle Quietly Releases Fix For Serious Java Security Bug--Months After It Was Reported

This article is more than 10 years old.

Oracle just scored points with the security community for rushing out an early patch for a critical security flaw in Java that was already being widely exploited by the cybercriminal underground. But given that the company pushed the fix only months after the bug was initially reported, Oracle's definition of "early" leaves something to be desired.

On Thursday, Oracle released an update for its ubiquitous Java plugin that patches a serious set of security issues, ones that allowed cybercriminals to install malware through invisible downloads when users visited rigged websites. The exploit technique had already been integrated into the widely-used Black Hole kit cybercrime software kit, where it was quickly spreading around the web.

Users can find the update on Java.com, where it's labelled Java 7 update 7.

The patch's release comes months ahead of Oracle's next planned patch in its cycle, which would have been in October. But perhaps responding to the security community's warnings that users should disable Java to protect themselves, Oracle has taken the rare step of releasing its fix early.

Even so, security researchers have pointed out in recent days that the flaws were actually reported to Oracle much earlier, in April of this year. The Polish firm Security Explorations claims in a blog post that it alerted Oracle to a large collection of bugs more than four months ago, and even received confirmation that Oracle had taken note of their findings. Despite those warnings, only two of the 31 bugs the Polish team reported were fixed in the most-recent June update.

With the latest patch, the Java exploit appears to have been finally defanged, says H.D. Moore, chief security officer at security firm Rapid 7, which had integrated the exploit into its Metasploit penetration testing tool. But he warns that other persistent bugs could allow hackers to circumvent the patch. "The easily exploitable cases seem to be fixed," he says. "But there may be other ways to trigger the same code. It may just take some digging to find another variant."

Even if the patch is reliable, Moore warns that it could be months longer before it's implemented in real-world systems. The majority of users don't immediately update Java, he says, and Linux and OSX users often must wait far longer than Windows users for Java patches. In the case of the Flashback malware that infected more than 600,000 Macs, for instance, cybercriminals took advantage of a months-long lag between Oracle's patch and Apple's implementation of the fix.

Even Oracle's announcement of the patch was criticized in the security community for failing to capture the urgent nature of the problem. Itzhak Avraham, chief executive of the penetration testing tool firm Zimperium, noted that an automatic update early Thursday still left his computer vulnerable to the Java exploit--only a manual update later in the day prevented the attack. And Oracle didn't make much of a public announcement of the fix, only mentioning it in obscure release notes on its website. I contacted Oracle for more information, but haven't yet heard back from the company.

One security researcher at vulnerabilty analysis firm Veracode summarized the security community's sentiments on Twitter: "There is no notification anywhere on the website that it's security critical," she writes. "To the Oracle engineers who pulled an all-nighter or two: thank you. To Oracle PR: you are horrible people who deserve suffering."