We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message

Does Oracle Patch for Java 7 Fix the Zero-Day Flaw?

Oracle has cranked out a patch for Java days after news of a zero-day exploit. But Oracle is short on details on what the patch fixes

Oracle issued a patch today for Java 7. Coincidentally, Java 7 has also been the target of recent attacks thanks to a zero-day exploit. For now, though, its anyone's guess whether or not the new Java 7 patch actually addresses the zero-day exploits, or to what extent.

First, a brief recap. A previously unknown flaw in Java was discovered, and a proof-of-concept (PoC) exploit was developed in the popular Metasploit Framework tool. Metasploit is a tool used by the good guys, but an exploit is an exploit, and the fact that the exploit PoC code was developed for Metasploit means that the exploit is now in the hands of many more would-be attackers.

According to the normal Oracle patch release schedule, the next routine update isn't supposed to occur until October. However, Java is a popular and widely used platform, and it would probably be catastrophic for Oracle to wait a month or more to produce a patch.

Fast forward a few days, and voila! A patch. Maybe. There is definitely an update for Java 7 available from Oracle. However, it's not yet clear what it fixes.

Andrew Storms, director of security operations for nCircle, points out that the release notes do not contain even the most basic information--there's no release date, and the link to the CVE (vulnerability) fixed by the patch just points to a blank Web page.

Storms says, "The world of Oracle users are holding their breath waiting for some kind of definitive official statement," adding, "This is a complete security communication fail on Oracle's part. How do they expect their customers to take advantage of this patch without any additional details?"

If this update from Oracle does resolve the zero-day vulnerability and protect users from the Java attacks circulating in the wild, that would be most excellent news. It would also be a very impressive turnaround from Oracle to crank out a patch so quickly.

Apparently, though, the vulnerabilities aren't news to Oracle. Security researchers reported the flaws to Oracle months ago, but Oracle was sitting on the fix until the scheduled October update.

Regardless, there's an update for Java that you should probably apply if you use the affected version. It probably fixes the flaws that Oracle has known about since April, but even if it doesn't it must fix something or there'd be no point in developing and publishing it.

If Oracle wants to continue being a respected, trusted software provider, it needs to do a much better job of cranking out updates in a timely manner, and it needs to significantly improve its communications to keep customers informed of what's going on.

IDG UK Sites

3 of the best portable chargers: a solar power charger, a hand-cranked charger, and how to charge...

IDG UK Sites

iOS 8 review: Hands on with the iOS 8 beta

IDG UK Sites

Thinking robots: The philosophy of artificial intelligence and evolving technology

IDG UK Sites

Sharknado 2 VFX: how The Asylum created CG flying man-eating sharks