Patchy response: Oracle fumbles response to Java flaw

Share this article:
2 minutes on: Will ad blockers be regulated?
2 minutes on: Will ad blockers be regulated?

With billions of devices worldwide running Java, Oracle faced a debacle in August as the details for two zero-day exploits in its popular software were leaked and actively used in attacks.

Within a matter of hours, the vulnerabilities were added to the widely used BlackHole exploit toolkit, doubling its success rate for the saboteurs using what's considered one of the most popular threats on the web.

Although a patch was released shortly after the bugs went public, security experts questioned Oracle's communication. The damage had presumably already been done, as tens of thousands of computers were reportedly infected prior to the release of the patch.

3B mobile phones and 1.1B desktops run Java.  

– Source: Oracle

Rather than addressing the flaw directly with Java users, the company decided to stay mum on the issue. Instead, hordes of researchers issued warnings, advising users to disable Java. According to experts, the average end-user's web experience is not affected by deactivating the software, leaving many to question its usefulness.

Poland-based security firm Security Explorations, which takes credit for discovering the vulnerabilities, reported its findings to Oracle in April. While it expected the company to issue a patch in its scheduled June security update, the weaknesses were not addressed.

However, once news of the exploits became public, Oracle made an unprecedented move and issued an emergency out-of-cycle patch. But its quick reaction was accompanied by a miscue, as the patches released were flawed, said Adam Gowdiak, founder and CEO of Security Explorations.

“The update didn't address many of our previously reported issues,” Gowdiak said. “This along with a recently discovered weakness from Aug. 31, may still allow attackers to achieve a complete Java sandbox bypass.”

While producing the patches may be quick, it's the testing that's arduous, said Tod Beardsley, Metasploit engineering manager at Rapid7. Since Java has so many uses, there are a lot of bases to cover.

He says that with such a large user-base, Oracle may be a victim of its own success. While some experts continue to criticize the company's response time, the response is more a result of the communication, as Oracle is known to neither confirm nor deny anything.

“That's great if you're government, but companies typically have PR departments for those types of things,” Beardsley said. 

Share this article:

Sign up to our newsletters

More in Opinions

The cool factor: New tech in banking has an edge

The cool factor: New tech in banking has ...

Disruption is expected; financial crime should be, too.

Me and my job: James Hill senior security architect, Consolidated Data Services

Me and my job: James Hill senior security ...

James Hill senior security architect, Consolidated Data Services (CDS), discusses his role at his organization.

Ahead in the cloud

Ahead in the cloud

Growth businesses are always looking for flexible ways of working that reduce capital and running costs, while securely delivering the data users need, when and where they need it.