It appears as if Oracle on Thursday released an emergency fix for a severe vulnerability in Sun Java after it was revealed in two separate disclosures last week.
The update plugs three holes in Java. Presumably the Java Web Start fix addresses the flaw in question, which involves the Java Deployment Toolkit browser plug-in failing to properly validate parameters, according to a Secunia advisory issued Monday. This can allow attackers to execute a JAR (Java Archive) file "on a network share in a privileged context."
In fact, the flaw has been leveraged in active attacks beginning this week.
However, I can't confirm the update closes the vulnerability because Oracle, which owns Sun, won't get back to me. And in its update advisory, it does not credit anyone with the flaw find.
Matter of fact, the company has made no mention of the bug at all since it was announced. One of the discovering researchers said the company told him that it didn't consider the issue enough of a big deal to warrant an out-of-cycle fix.
It appears Oracle has changed its mind. Today's update, especially considering it was distributed out of cycle, certainly looks like the patch.
But, through some casual Twitter browsing today, I've seen contradictory tweets from researchers on whether this is actually the update for the vulnerability. (The Ormandy the second tweet refers to is Tavis Ormandy, the Google researcher who went Full Disclosure with the bug last Friday).
The "for": https://twitter.com/manzuik/status/12226294385
The "against": https://twitter.com/vlna/status/12230959161
So which one is it? I don't know.
I must admit, it's very disconcerting that a software vendor would not publicly make any statements regarding a security issue that has gotten widespread coverage, both in established media outlets and across social networking channels.
There are customers to worry about...right, Oracle?