Slashdot Mirror

← Back to Stories (view on slashdot.org)

Oracle Patches Java 7 Vulnerability

Posted by samzenpus on from the patch-it-up dept.

First time accepted submitter JavaBear writes "Oracle have just released the u7 release of their Java 7. From the article: 'In response to the findings of a recent vulnerability in Java 7 that was being exploited by malware developers, Oracle has released an official patch that takes care of the problem. In the past week, a new vulnerability was unveiled in Oracle's Java 7 runtime, which has been used by hackers in targeted attacks on Windows-based systems. Similar to the recent Flashback malware in OS X, this vulnerability allows criminals to create a drive-by hack where the only action needed to compromise a system is to visit a rogue Web page that hosts a malicious Java applet."

9 of 58 comments (clear)

  1. Was That So Hard? by rsmith-mac · · Score: 5, Informative

    See guys, was that so hard? Now next time you should focus on getting the patch out before it gets exploited in the wild, since you've been sitting on this exploit for the last 4 months.

    1. Re:Was That So Hard? by El_Oscuro · · Score: 4, Funny

      Apparantely so. Just google Oracle TNS Listener Poison vulnerability for a real cluster fuck.

      --
      "Be grateful for what you have. You may never know when you may lose it."
  2. Re:Most Mac users are SOL by Anonymous Coward · · Score: 4, Informative

    Fact: Java 6 isn't vulnerable to this attack.

    There are other problems that they are exposed to, but this isn't one of them.

  3. Re:sweet by Charliemopps · · Score: 5, Funny

    I have to deal with Oracle every day. They operate much like a company that I used to work for... ATT. ATT is so large, so ubiquitous, their profits so untouchable, that they just don't give a shit anymore. They don't need to. To address a problem, ATT creates a new department, at the expense of millions of dollars. Often that new department does something as trivial as copy data from one system to another. Hiring a team of 10 people to do manual data entry all day every day is easier/cheaper than paying developers to do it right.

    Knowing what I know of Oracle, I'm sure that the "Mal-ware investigatory department" sent in form 24b-FF with a priority level 3 as soon as they knew about the issue. That form was received by a "Critical patch program director" who then scheduled the appropriate conference calls and meetings to discuss who would head up, design, testing, implementation, cost projections, etc... Once the team was assembled 2hr meetings with catered lunch were scheduled daily to discuss progress and adjusted cost projections. Now that the patch has been released, they will enter a post patch analysis of self aggrandizing back patting.

    You can't get rid of Oracle. They are the ATT of Databases. Everyone is stuck with them, they know it, we just have to bend over and hope they use lube.

  4. Too little too late by onyxruby · · Score: 4, Interesting

    I killed Java 7 on Monday at my work. I won't bring it back any time soon. Oracle, in case you care this is how you messed this up royally:

    1. You sat on this since April.
    2. Exploits have been in the wild since last weekend and you didn't even acknowledge it until today.
    3. The community was left to fend for themselves, and the only way to fend for themselves was to /remove/ your product.

    This is how you should have had handled this:
    1. You should have patched this during your normal patch release cycle that you had since April.
    2. You should have immediately acknowledged the exploit.
    3. You should have immediately acknowledged the breadth of the exploit.
    4. A very simple note on your blog to the affect of "were working on this, expect something shortly" would have made all the difference.

    As a result of your failure to take security half as seriously as Microsoft (I never could have imagined I would say that 10 years ago), I spent the first have of my week testing an emergency uninstall package of Java for multiple platforms. After getting it approved through an ECAB and rushing it into production - since I had no idea when you were going to release a patch I uninstalled Java 7 system wide at a very large institution this week.

    After my emergency uninstall went into production it came up in a meeting with management today that an out of band patch got released today. At this point my response to management was simple, "too late". No one questioned my decision and Java 7 is now gone.

    Learn from this Oracle, learn from this, you royally fucked this up.

    1. Re:Too little too late by TubeSteak · · Score: 4, Insightful

      If your company didn't need Java to interact with internal or client/vendor/etc websites, you probably shouldn't have it installed in the first place.
      Firewalls and antivirus scanners are nice, but reducing the attack surface is better.

      --
      [Fuck Beta]
      o0t!
  5. Re:sweet by qubezz · · Score: 4, Interesting

    I'll call them scum for attempting to foist the Ask Toolbar on us again for a security update.

  6. Re:Most Mac users are SOL by Anonymous Coward · · Score: 4, Informative

    Fact: Java 6 isn't vulnerable to this attack.

    Wrong, Java 6 is affected. From the "Security Alert":

    Affected product releases and versions:
    JDK and JRE 7 Update 6 and before
    JDK and JRE 6 Update 34 and before

    But it appears Oracle did not provide a patch for Java 6 yesterday.

  7. Bing!!! by Fuzzums · · Score: 4, Insightful

    Wouldn't it be great if Microsoft bundled a bing search toolbar with every .net update..
    Well. No.
    For the same reason: DieAskToolbarDie.

    --
    Privacy is terrorism.