Thursday, April 15, 2010

Oracles Relents, Offers "Quick & Dirty" Patch

"Oracle today patched a critical Java vulnerability that is being exploited by hackers to install malicious software.

"The security update to Java SE 6 Update 20 patches a bug disclosed last Friday by Google security researcher Tavis Ormandy, who spelled out how attackers could run unauthorized Java programs on a victim's machine by using a feature designed to let developers distribute their software. Only systems running Windows are at risk.

"Oracle's patch appears quick and dirty, Ormandy said. `They've completely removed the vulnerable feature, literally replaced with 'return 0,'` he said on Twitter...

"Other researchers noted Oracle's turnaround today. `So it turns out that Oracle can actually patch Java in less than a week! Funny how vendors only care to do this after full-disclosure,` said noted browser researcher Alexander Sotirov, also on Twitter..."

From ComputerWorld...

No comments: