Slashdot Mirror

← Back to Stories (view on slashdot.org)

Researcher Develops Patch For Java Zero Day In 30 Minutes

Posted by Soulskill on from the 30-minutes-or-less-or-your-zero-day-is-free dept.

Trailrunner7 writes "A security researcher has submitted to Oracle a patch he said took him 30 minutes to produce that would repair a zero-day vulnerability currently exposed in Java SE. He hopes his actions will spur Oracle to issue an out-of-band patch for the sandbox-escape vulnerability, rather than wait for the February 2013 Critical Patch Update as Oracle earlier said it would. Adam Gowdiak of Polish security consultancy Security Explorations reported the vulnerability to Oracle on Sept. 25, as well as proof-of-concept exploit code his team produced. The vulnerability is present in Java versions 5, 6 and 7 and would allow an attacker to remotely control an infected machine once a user landed on a malicious website hosting the exploit. Gowdiak said his proof-of-concept exploit was successfully used against a fully patched Windows 7 machine using Firefox 15.0.1, Chrome 21, IE 9, Opera 12, and Safari 5.1.7."

5 of 57 comments (clear)

  1. Code review by danomac · · Score: 4, Insightful

    They'd have to review the patch first, I doubt they'll push any patch out without testing it. At least you'd hope so...

    1. Re:Code review by wonkey_monkey · · Score: 4, Insightful
      Exactly. The amount of time taken to write a patch is almost entirely inconsequential here. It's the time taken to ensure that the patch doesn't accidentally open 1001 other holes that matters.

      A security researcher has submitted to Oracle a patch he said took him 30 minutes to produce

      And someone at Java may have written a patch for the exploit in 1 minute six weeks ago. In terms of actual useful information this headline probably boils down to

      Researcher Develops Patch For Java Zero Day

      which isn't quite as immediately sexy.

      --
      systemd is Roko's Basilisk.
  2. Patch right here! by Deathlizard · · Score: 5, Funny

    Windows

    Linux

    Mac OS X

    --
    In Soviet Russia, Trojan exploits YOU!
  3. well... by SuperDre · · Score: 4, Insightful

    writing the parch might not take a long time, testing it if it doesn't break any software out there (except exploits ofcourse) does.. a lot of times it's easy to fix stuff, but you just can't release it if it breaks a lot of stuff which is already out there, and that's where the problem lies..

  4. Re:5 months? by Local+ID10T · · Score: 4, Insightful

    Microsoft has Patch Tuesday, Oracle has Patch February...

    --
    "You want to know how to help your kids? Leave them the fuck alone." -George Carlin