Does Oracle Patch for Java 7 Fix the Zero-Day Flaw?

Oracle has cranked out a patch for Java days after news of a zero-day exploit. But Oracle is short on details on what the patch fixes

Oracle issued a patch today for Java 7. Coincidentally, Java 7 has also been the target of recent attacks thanks to a zero-day exploit. For now, though, its anyone's guess whether or not the new Java 7 patch actually addresses the zero-day exploits, or to what extent.

First, a brief recap. A previously unknown flaw in Java was discovered, and a proof-of-concept (PoC) exploit was developed in the popular Metasploit Framework tool. Metasploit is a tool used by the good guys, but an exploit is an exploit, and the fact that the exploit PoC code was developed for Metasploit means that the exploit is now in the hands of many more would-be attackers.

According to the normal Oracle patch release schedule, the next routine update isn't supposed to occur until October. However, Java is a popular and widely used platform, and it would probably be catastrophic for Oracle to wait a month or more to produce a patch.

Fast forward a few days, and voila! A patch. Maybe. There is definitely an update for Java 7 available from Oracle. However, it's not yet clear what it fixes.

Andrew Storms, director of security operations for nCircle, points out that the release notes do not contain even the most basic information--there's no release date, and the link to the CVE (vulnerability) fixed by the patch just points to a blank Web page.

Storms says, "The world of Oracle users are holding their breath waiting for some kind of definitive official statement," adding, "This is a complete security communication fail on Oracle's part. How do they expect their customers to take advantage of this patch without any additional details?"

If this update from Oracle does resolve the zero-day vulnerability and protect users from the Java attacks circulating in the wild, that would be most excellent news. It would also be a very impressive turnaround from Oracle to crank out a patch so quickly.

Apparently, though, the vulnerabilities aren't news to Oracle. Security researchers reported the flaws to Oracle months ago, but Oracle was sitting on the fix until the scheduled October update.

Regardless, there's an update for Java that you should probably apply if you use the affected version. It probably fixes the flaws that Oracle has known about since April, but even if it doesn't it must fix something or there'd be no point in developing and publishing it.

If Oracle wants to continue being a respected, trusted software provider, it needs to do a much better job of cranking out updates in a timely manner, and it needs to significantly improve its communications to keep customers informed of what's going on.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Follow our new CSO Australia LinkedIn
Follow our new social and we'll keep you in the loop for exclusive events and all things security!
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Brand Page

Stories by Tony Bradley

Latest Videos

More videos

Blog Posts