ITWire

Following the April discovery of a set of major vulnerabilities in Java, Oracle has been endlessly criticised for its tardy response. In fact it has widely been reported that exploits targeting these vulnerabilities have been included in both Metasploit and Blackhole, making the exploitation of these security holes nothing more than point-and-click.

Note that Oracle has a rolling 4-month patching cycle for Java: patches are released every two months with security patches occupying one two-month slot and bug fixes / enhancements the other slot. This of course means that we can be forced to wait many months for an issue to be addressed, especially if the resolution is not ready when the security update is released.

Having previously announced that the public would have to wait until the regular October security patch cycle, late last week, Oracle rushed a patch to market.

Rushed is the key-word here.

It quickly became apparent that the patch addressed only some of the attack vectors; soon after, it became clear it didn't even do that.

Polish security organisation Security Explorations discovered the original flaws and communicated them directly to Oracle (who acquired ownership of Java as part of the merger with Sun Microsystems) in April. Some months later, Oracle was being criticised for not addressing the issue. Security Explorations' diary of the events lends credence to the criticism.

Things rapidly came to a head when active exploitations were observed in the wild.

It would seem that in the past few days, Oracle was finally stung into action and released the patch kit widely reported in the Tech Media.

Most commentators (myself included in a comment to the above link) suggested users rush to apply the patched version of Java.

I hereby rescind that advice.

Just a few hours after the patch was made available, Security Exploration's Adam Gowdiak posted to Seclists his thoughts that the patch contains a bug which makes some of the not-yet-patched vulnerabilities easier to exploit.

"Today we sent a security vulnerability report along with a Proof of Concept code to Oracle. The code successfully demonstrates a complete JVM sandbox bypass in the environment of a latest Java SE software (version 7 Update 7 released on Aug 30, 2012). The reason for it is a new security issue discovered, that made exploitation of some of our not yet addressed bugs possible to exploit again."

One might suggest that this is just a tiny bit embarrassing for Oracle. Be that as it may, it's closer to a disaster for the rest of us.

Unless it is crucial to your web operations, we strongly suggest you disable java wherever it is in use on your computer. Sophos' Graham Cluley offers instructions on how to do that.

Alternately, Brian Krebs suggests that, if you must use Java in a browser, you should run it ONLY in a secondary browser which is used for nothing more than to access the locations which require it; all other web access should be through a browser with Java disabled.