Patchy response: Oracle fumbles response to Java flaw

Share this article:
2 minutes on: Will ad blockers be regulated?
2 minutes on: Will ad blockers be regulated?

With billions of devices worldwide running Java, Oracle faced a debacle in August as the details for two zero-day exploits in its popular software were leaked and actively used in attacks.

Within a matter of hours, the vulnerabilities were added to the widely used BlackHole exploit toolkit, doubling its success rate for the saboteurs using what's considered one of the most popular threats on the web.

Although a patch was released shortly after the bugs went public, security experts questioned Oracle's communication. The damage had presumably already been done, as tens of thousands of computers were reportedly infected prior to the release of the patch.

3B mobile phones and 1.1B desktops run Java.  

– Source: Oracle

Rather than addressing the flaw directly with Java users, the company decided to stay mum on the issue. Instead, hordes of researchers issued warnings, advising users to disable Java. According to experts, the average end-user's web experience is not affected by deactivating the software, leaving many to question its usefulness.

Poland-based security firm Security Explorations, which takes credit for discovering the vulnerabilities, reported its findings to Oracle in April. While it expected the company to issue a patch in its scheduled June security update, the weaknesses were not addressed.

However, once news of the exploits became public, Oracle made an unprecedented move and issued an emergency out-of-cycle patch. But its quick reaction was accompanied by a miscue, as the patches released were flawed, said Adam Gowdiak, founder and CEO of Security Explorations.

“The update didn't address many of our previously reported issues,” Gowdiak said. “This along with a recently discovered weakness from Aug. 31, may still allow attackers to achieve a complete Java sandbox bypass.”

While producing the patches may be quick, it's the testing that's arduous, said Tod Beardsley, Metasploit engineering manager at Rapid7. Since Java has so many uses, there are a lot of bases to cover.

He says that with such a large user-base, Oracle may be a victim of its own success. While some experts continue to criticize the company's response time, the response is more a result of the communication, as Oracle is known to neither confirm nor deny anything.

“That's great if you're government, but companies typically have PR departments for those types of things,” Beardsley said. 

Share this article:

Sign up to our newsletters

More in Opinions

Unfair competition: Proactive preemption can save you from litigation

Unfair competition: Proactive preemption can save you ...

With each job change, the risk that the new hire will bring confidential information or trade secrets with him or her to the new company grows.

Hackers only need to get it right once, we need to get it right every time

Hackers only need to get it right once, ...

Hackers only need to find one weak point to steal valuable information. On the flip side, security pros need to account for every possible scenario.

Successful strategies for continuous response

Successful strategies for continuous response

While it isn't realistic for organizations to expect that it will never happen to them, a rapid, professional and continuous response can limit their scope and reputational impact.