Oracle patch featured

Oracle Could Fix Serious Java Security Flaw ‘In 30 Minutes’

Researchers say Oracle could shore up Java security in just half an hour

On by Thomas Brewster 1

Oracle failed to fix a major flaw in its latest Java release even though it knew of the issue, and has been told it could release a patch in just 30 minutes.

Earlier this month, Larry Ellison’s software behemoth released a fresh version of Java, fixing 30 vulnerabilities, but missing one that it had been told about in late September.

That flaw, uncovered by Polish firm Security Explorations, could allow a hacker to achieve a complete Java security sandbox bypass, which could in turn allow them to put plenty of nasty stuff on victims’ machines. It affects Java SE 5, 6 and 7 – meaning all modern, widely-used versions are hit.

Given how much criticism was levelled at Oracle for failing to patch a separate Java vulnerability it had known about for months, and which was recently actively exploited by cyber criminals, it would have been little surprise if the firm had issued an out-of-band fix soon after it had been informed.

Java security issues to stick around?

Oracle currently plans to patch the vulnerability in February next year, but is being taken to task by Security Explorations, led by CEO Adam Gowdiak, for being so slow.

He claimed that Oracle said it was too late to include fixes for the security hole, which Gowdiak calls “Issue 50”. “The company was in the final stages of extensive testing of October 2012 Java SE CPU when it received Issue 50 report,” he said in a post on Seclists.org.

“Upon evaluation of Issue 50 and the options to fix it, company’s assessment was that it was too late to include fixes in the October Java SE CPU.”

Irked by Oracle’s response, Gowdiak and his researchers kicked off a “Vulnerability Fix Experiment”. Subsequently, it claimed the problem could be addressed in half an hour, and just 25 characters need to be altered in the source code.

Furthermore, the changes would not require any integration tests with other Oracle software, Gowdiak claimed.

Oracle has acknowledged the company’s findings, but has not responded with any promises, he said. “On 19 October, Oracle communicated to us that they would respond as soon as possible to the results of our fix experiment. But they have not responded so far. Instead, we received a monthly status report from them today,” Gowdiak told TechWeekEurope.

Oracle has not responded to a request for comment.

How well do you know Internet security? Try our quiz and find out!

Thomas Brewster

Author: Thomas Brewster

Security Correspondent, TechWeekEurope
Thomas Brewster Thomas Brewster Thomas Brewster
Techweekeurope for mobile devices
Android-App Google Currents App for iOS

Last comment




One reply to Oracle Could Fix Serious Java Security Flaw ‘In 30 Minutes’

  • On October 23, 2012 at 5:58 pm by greg

    While it would be great to see a bigger focus on security by Oracle, they are absolutely doing the right thing by their customers to not include that fix in the current release.

    Even though Gowdiak was able to “plug” the hole with a patch, he is apparently unaware of the support burden of keeping hundreds of thousands of software applications that depend on Java in a working state. Java developers should praise Oracle for being responsible about regression testing.

    Part of testing any security fix is making sure it doesn’t break anything else. While security fixes are critical, the risk of someone staging a successful attack must be weighed against the more likely effect of an untested patch hurting someone’s bread-and-butter server or application.

Leave a Reply

  • Required fields are marked *,
    Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>