Researchers deliver fix for Java 0-day to Oracle
Posted on 23 October 2012.
Polish firm Security Explorations and its CEO Adam Gowdiak continue to be the a thorn in Oracle's side by repeatedly questioning the giant's decision not to issue an out-of-band patch for a critical Java flaw in Java SE (Standard Edition) 5, 6 and 7.

According to their research, the vulnerability could allow attackers to bypass the security sandbox in those three versions of Java, which are currently installed on nearly a billion of machines around the world.

The flaw was reported by the firm a few weeks before the scheduled October 16 Java Critical Patch Update but, according to Oracle, creating a patch for it and testing it would have seriously delayed the update, so Oracle chose to leave it for the next one, which is scheduled for February 2013.

Security Explorations had to accept the answer, but were obviously not resigned to take it at face value, as Gowdiak revealed in his Monday post on the Full Disclosure mailing list.

Taking into consideration that the Oracle Critical Patch Updates goes through an extensive integration testing with other products such as JRockit, Weblogic Server, and E-Business Suite, Gowdiak and his team tried to conduct a "small Vulnerability Fix Experiment".

They discovered that the fix can be implemented within half an hour time, that only 25 characters in the source code needed to be changed in order to implement it, and that the fix does not seem to require any integration tests with other Oracle application software, as the code logic had not been changed at all and would not influence 3rd party applications.

"We provided Oracle corporation with the results of our analysis on Oct 19, 2012," concludes Gowdiak. "We hope our quick experiment sufficiently challenges the company and that it leads to the verification of Oracle's stance, especially the one relying on a need for four additional months to implement and release a security update for a critical security issue in Java (Issue 50), which we believe (and are hopefully correct with respect to the analysis conducted) can be addressed within less than 30 min."

I guess the ball is in Oracle's court now.







Spotlight

Leveraging network intelligence and deep packet inspection

Posted on 26 November 2014.  |  Tomer Saban, CEO of WireX Systems, talks about how deep packet inspection helps with identifying emerging threats, the role of network intelligence, and more.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Thu, Nov 27th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //