Critical flaw in Oracle Java SE impacts over 1 billion users

For discussions about security.
Post Reply
Message
Author
User avatar
Monsie
Posts: 631
Joined: Thu 01 Dec 2011, 07:37
Location: Kamloops BC Canada

Critical flaw in Oracle Java SE impacts over 1 billion users

#1 Post by Monsie »

Hi all,

While there are no reported attacks in the wild yet, this is a serious flaw in the java virtual machine that allows an attacker to take over a user's system... This vulnerability is found in Java Standard Edition (it used to be called JRE I think) 5, 6, & 7 and apparently affects most platforms: Windows, Mac, Linux, and Solaris. Details can be found here at arstechnica along with lots of relevant links for further info.

Apparently Oracle has not responded to this situation yet, but it is hoped that there will be a patch by mid October which is the next scheduled update.

Users of OpenJDK may or may not be affected... nothing has been confirmed yet, but since OpenJDK uses a different code base, there is discussion to suggest there's some chance the flaw will not impact it, or that the effects will be less severe. I don't know if anyone has managed to sucessfully install OpenJDK in any breed of Puppy Linux or not but some people including myself will be looking at OpenJDK impact as well since it is used in many distros now in lieu of Oracle Java.

Monsie
My [u]username[/u] is pronounced: "mun-see". Derived from my surname, it was my nickname throughout high school.

User avatar
darkcity
Posts: 2534
Joined: Sun 23 May 2010, 19:16
Location: near here
Contact:

#2 Post by darkcity »

its worrying Oracle, knew about previous flaws but did nothing
http://www.theregister.co.uk/2012/08/30 ... out_flaws/

There is speculation Oracle can not keep up with fixes.

What license is it released under?

User avatar
Monsie
Posts: 631
Joined: Thu 01 Dec 2011, 07:37
Location: Kamloops BC Canada

Critical flaw in Oracle Java SE impacts over 1 billion users

#3 Post by Monsie »

Apparently, there are up to fifty outstanding security issues in Java SE at present as explained here: http://www.security-explorations.com/en ... tatus.html
The good news is that apparently Oracle has developed fixes for most of these flaws... and hopefully it will release all of its fixes by the next regular scheduled critical patch update in mid-October though it sounds like the latest critical flaw --as per this thread-- might not be fixed by then in which case Oracle will either issue an out of band patch or make everyone wait until the following scheduled update (February, 2013). I suspect what will make the difference here is if any exploits are discovered in the wild. Some tech writers are suggesting that fixes might be slow in being issued because enterprises need time to test and deploy any patches. But then, isn't this one of the reasons there is an Enterprise Edition of Oracle Java as well as the Standard Edition? That being the case, why should the rest of the user base have to wait for these security fixes to be issued? Unless, Enterprises are using the Standard Edition also... but then, that begs the question as to why this would be allowed.

Beyond that, some security companies are issuing various patches for some of these flaws, but really (it seems to me) these "fixes" can only be workarounds, because Oracle has its own license for Java SE which means Oracle is the only body that can touch the code base. Now I am no legal expert re: software licensing, but for the sake of discussion, I will call Oracle's license proprietary and whether that is technically correct, I don't know. In any event, I assume any patches put forward by security companies would allow a business to continue to use Java SE thus avoiding any inconvenience or hardship from otherwise having to uninstall or disable Java SE until the scheduled update from Oracle.

Monsie
My [u]username[/u] is pronounced: "mun-see". Derived from my surname, it was my nickname throughout high school.

User avatar
Monsie
Posts: 631
Joined: Thu 01 Dec 2011, 07:37
Location: Kamloops BC Canada

Critical flaw in Oracle Java SE impacts over 1 billion users

#4 Post by Monsie »

Hi all,

Here's an update to confirm that Oracle released it's latest Java SE runtime version on October 16th. Only about 30 flaws were fixed as reported in this article right here and, the critical flaw that sparked my initial post is still outstanding. It will not be fixed until the next scheduled patch release come February apparently. One can only hope this flaw is not exploited in the meantime...

Monsie
My [u]username[/u] is pronounced: "mun-see". Derived from my surname, it was my nickname throughout high school.

Post Reply