Does Oracle patch for Java 7 fix the zero-day flaw?
Oracle has cranked out a patch for Java days after news of a zero-day exploit. But Oracle is short on details on what the patch fixes
Oracle issued a patch today for Java 7. Coincidentally, Java 7 has also been the target of recent attacks thanks to a zero-day exploit. For now, though, its anyone's guess whether or not the new Java 7 patch actually addresses the zero-day exploits, or to what extent.
First, a brief recap. A previously unknown flaw in Java was discovered, and a proof-of-concept (PoC) exploit was developed in the popular Metasploit Framework tool. Metasploit is a tool used by the good guys, but an exploit is an exploit, and the fact that the exploit PoC code was developed for Metasploit means that the exploit is now in the hands of many more would-be attackers.
According to the normal Oracle patch release schedule, the next routine update isn't supposed to occur until October. However, Java is a popular and widely used platform, and it would probably be catastrophic for Oracle to wait a month or more to produce a patch.
Fast forward a few days, and voila! A patch. Maybe. There is definitely an update for Java 7 available from Oracle. However, it's not yet clear what it fixes.
Andrew Storms, director of security operations for nCircle, points out that the release notes do not contain even the most basic information--there's no release date, and the link to the CVE (vulnerability) fixed by the patch just points to a blank Web page.
Storms says, "The world of Oracle users are holding their breath waiting for some kind of definitive official statement," adding, "This is a complete security communication fail on Oracle's part. How do they expect their customers to take advantage of this patch without any additional details?"
If this update from Oracle does resolve the zero-day vulnerability and protect users from the Java attacks circulating in the wild, that would be most excellent news. It would also be a very impressive turnaround from Oracle to crank out a patch so quickly.
Regardless, there's an update for Java that you should probably apply if you use the affected version. It probably fixes the flaws that Oracle has known about since April, but even if it doesn't it must fix something or there'd be no point in developing and publishing it.
If Oracle wants to continue being a respected, trusted software provider, it needs to do a much better job of cranking out updates in a timely manner, and it needs to significantly improve its communications to keep customers informed of what's going on.