The patch was only subjected to limited testing and, as any unofficial patch, comes with no guarantee that it won't prevent legitimate programs from working properly after it is deployed. Because of this, DiMino and Parkour are only giving it to companies that email them and clearly explain the reasons for needing it.
If there is any conclusion to draw from these proposed mitigation methods is that none of them will fit everyone's needs.
"The most appropriate strategy is going to vary greatly depending on your organization's security posture as well as the extent you are using Java in business critical apps," Stephen Cobb, a security evangelist at antivirus vendor ESET, said Tuesday via email. "All of which makes endorsing a specific strategy for everyone impractical."
Many security experts, including Wisniewski and Cobb, believe that Oracle should break out of its regular 4-month patching cycle and fix this vulnerability as soon as possible. The next batch of security patches for Oracle products are otherwise scheduled to be released in October.
