Researchers say Oracle could shore up Java security in just half an hour
Oracle failed to fix a major flaw in its latest Java release even though it knew of the issue, and has been told it could release a patch in just 30 minutes.
Earlier this month, Larry Ellison’s software behemoth released a fresh version of Java, fixing 30 vulnerabilities, but missing one that it had been told about in late September.
That flaw, uncovered by Polish firm Security Explorations, could allow a hacker to achieve a complete Java security sandbox bypass, which could in turn allow them to put plenty of nasty stuff on victims’ machines. It affects Java SE 5, 6 and 7 – meaning all modern, widely-used versions are hit.
Given how much criticism was levelled at Oracle for failing to patch a separate Java vulnerability it had known about for months, and which was recently actively exploited by cyber criminals, it would have been little surprise if the firm had issued an out-of-band fix soon after it had been informed.
Java security issues to stick around?
Oracle currently plans to patch the vulnerability in February next year, but is being taken to task by Security Explorations, led by CEO Adam Gowdiak, for being so slow.
He claimed that Oracle said it was too late to include fixes for the security hole, which Gowdiak calls “Issue 50”. “The company was in the final stages of extensive testing of October 2012 Java SE CPU when it received Issue 50 report,” he said in a post on Seclists.org.
“Upon evaluation of Issue 50 and the options to fix it, company’s assessment was that it was too late to include fixes in the October Java SE CPU.”
Irked by Oracle’s response, Gowdiak and his researchers kicked off a “Vulnerability Fix Experiment”. Subsequently, it claimed the problem could be addressed in half an hour, and just 25 characters need to be altered in the source code.
Furthermore, the changes would not require any integration tests with other Oracle software, Gowdiak claimed.
Oracle has acknowledged the company’s findings, but has not responded with any promises, he said. “On 19 October, Oracle communicated to us that they would respond as soon as possible to the results of our fix experiment. But they have not responded so far. Instead, we received a monthly status report from them today,” Gowdiak told TechWeekEurope.
Oracle has not responded to a request for comment.
How well do you know Internet security? Try our quiz and find out!