Oracle failed to fix a major flaw in its latest Java release even though it knew of the issue, and has been told it could release a patch in just 30 minutes.
Earlier this month, Larry Ellison’s software behemoth released a fresh version of Java, fixing 30 vulnerabilities, but missing one that it had been told about in late September.
That flaw, uncovered by Polish firm Security Explorations, could allow a hacker to achieve a complete Java security sandbox bypass, which could in turn allow them to put plenty of nasty stuff on victims’ machines. It affects Java SE 5, 6 and 7 – meaning all modern, widely-used versions are hit.
Oracle currently plans to patch the vulnerability in February next year, but is being taken to task by Security Explorations, led by CEO Adam Gowdiak, for being so slow.
He claimed that Oracle said it was too late to include fixes for the security hole, which Gowdiak calls “Issue 50”. “The company was in the final stages of extensive testing of October 2012 Java SE CPU when it received Issue 50 report,” he said in a post on Seclists.org.
“Upon evaluation of Issue 50 and the options to fix it, company’s assessment was that it was too late to include fixes in the October Java SE CPU.”
Irked by Oracle’s response, Gowdiak and his researchers kicked off a “Vulnerability Fix Experiment”. Subsequently, it claimed the problem could be addressed in half an hour, and just 25 characters need to be altered in the source code.
Furthermore, the changes would not require any integration tests with other Oracle software, Gowdiak claimed.
Oracle has acknowledged the company’s findings, but has not responded with any promises, he said. “On 19 October, Oracle communicated to us that they would respond as soon as possible to the results of our fix experiment. But they have not responded so far. Instead, we received a monthly status report from them today,” Gowdiak told TechWeekEurope.
Oracle has not responded to a request for comment.
How well do you know Internet security? Try our quiz and find out!
Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…
Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…
Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…
Welcome to Silicon In Focus Podcast: Tech in 2025! Join Steven Webb, UK Chief Technology…
European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…
San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…
View Comments
While it would be great to see a bigger focus on security by Oracle, they are absolutely doing the right thing by their customers to not include that fix in the current release.
Even though Gowdiak was able to "plug" the hole with a patch, he is apparently unaware of the support burden of keeping hundreds of thousands of software applications that depend on Java in a working state. Java developers should praise Oracle for being responsible about regression testing.
Part of testing any security fix is making sure it doesn't break anything else. While security fixes are critical, the risk of someone staging a successful attack must be weighed against the more likely effect of an untested patch hurting someone's bread-and-butter server or application.