Oracle failed to fix a major flaw in its latest Java release even though it knew of the issue, and has been told it could release a patch in just 30 minutes.
Earlier this month, Larry Ellison’s software behemoth released a fresh version of Java, fixing 30 vulnerabilities, but missing one that it had been told about in late September.
That flaw, uncovered by Polish firm Security Explorations, could allow a hacker to achieve a complete Java security sandbox bypass, which could in turn allow them to put plenty of nasty stuff on victims’ machines. It affects Java SE 5, 6 and 7 – meaning all modern, widely-used versions are hit.
Oracle currently plans to patch the vulnerability in February next year, but is being taken to task by Security Explorations, led by CEO Adam Gowdiak, for being so slow.
He claimed that Oracle said it was too late to include fixes for the security hole, which Gowdiak calls “Issue 50”. “The company was in the final stages of extensive testing of October 2012 Java SE CPU when it received Issue 50 report,” he said in a post on Seclists.org.
“Upon evaluation of Issue 50 and the options to fix it, company’s assessment was that it was too late to include fixes in the October Java SE CPU.”
Irked by Oracle’s response, Gowdiak and his researchers kicked off a “Vulnerability Fix Experiment”. Subsequently, it claimed the problem could be addressed in half an hour, and just 25 characters need to be altered in the source code.
Furthermore, the changes would not require any integration tests with other Oracle software, Gowdiak claimed.
Oracle has acknowledged the company’s findings, but has not responded with any promises, he said. “On 19 October, Oracle communicated to us that they would respond as soon as possible to the results of our fix experiment. But they have not responded so far. Instead, we received a monthly status report from them today,” Gowdiak told TechWeekEurope.
Oracle has not responded to a request for comment.
How well do you know Internet security? Try our quiz and find out!
Thoma Bravo agrees to acquire Darktrace for $5.32 billion in cash, delivering some welcome news…
Customer adoption of AI services embedded in cloud services continues to deliver results for Microsoft,…
TikTok's 'secret source' algorithm is so core to ByteDance, it would rather shut down US…
After relocating from California to Texas in 2020, Oracle's Larry Ellison now reveals plan to…
Share price hit after Meta admits heavy AI spending plans, after posting strong first quarter…
For third time Google delays phase-out of third-party Chrome cookies after pushback from industry and…
View Comments
While it would be great to see a bigger focus on security by Oracle, they are absolutely doing the right thing by their customers to not include that fix in the current release.
Even though Gowdiak was able to "plug" the hole with a patch, he is apparently unaware of the support burden of keeping hundreds of thousands of software applications that depend on Java in a working state. Java developers should praise Oracle for being responsible about regression testing.
Part of testing any security fix is making sure it doesn't break anything else. While security fixes are critical, the risk of someone staging a successful attack must be weighed against the more likely effect of an untested patch hurting someone's bread-and-butter server or application.