Within a matter of hours, the vulnerabilities were added to the widely used BlackHole exploit toolkit, doubling its success rate for the saboteurs using what's considered one of the most popular threats on the web.
Although a patch was released shortly after the bugs went public, security experts questioned Oracle's communication. The damage had presumably already been done, as tens of thousands of computers were reportedly infected prior to the release of the patch.
3B mobile phones and 1.1B desktops run Java.
– Source: Oracle
Rather than addressing the flaw directly with Java users, the company decided to stay mum on the issue. Instead, hordes of researchers issued warnings, advising users to disable Java. According to experts, the average end-user's web experience is not affected by deactivating the software, leaving many to question its usefulness.
Poland-based security firm Security Explorations, which takes credit for discovering the vulnerabilities, reported its findings to Oracle in April. While it expected the company to issue a patch in its scheduled June security update, the weaknesses were not addressed.
However, once news of the exploits became public, Oracle made an unprecedented move and issued an emergency out-of-cycle patch. But its quick reaction was accompanied by a miscue, as the patches released were flawed, said Adam Gowdiak, founder and CEO of Security Explorations.
“The update didn't address many of our previously reported issues,” Gowdiak said. “This along with a recently discovered weakness from Aug. 31, may still allow attackers to achieve a complete Java sandbox bypass.”
While producing the patches may be quick, it's the testing that's arduous, said Tod Beardsley, Metasploit engineering manager at Rapid7. Since Java has so many uses, there are a lot of bases to cover.
He says that with such a large user-base, Oracle may be a victim of its own success. While some experts continue to criticize the company's response time, the response is more a result of the communication, as Oracle is known to neither confirm nor deny anything.
“That's great if you're government, but companies typically have PR departments for those types of things,” Beardsley said.