Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 


Forgot your password?
Close
typodupeerror
×
Java Oracle Security

Researcher Develops Patch For Java Zero Day In 30 Minutes 57

Posted by Soulskill from the 30-minutes-or-less-or-your-zero-day-is-free dept.
Trailrunner7 writes "A security researcher has submitted to Oracle a patch he said took him 30 minutes to produce that would repair a zero-day vulnerability currently exposed in Java SE. He hopes his actions will spur Oracle to issue an out-of-band patch for the sandbox-escape vulnerability, rather than wait for the February 2013 Critical Patch Update as Oracle earlier said it would. Adam Gowdiak of Polish security consultancy Security Explorations reported the vulnerability to Oracle on Sept. 25, as well as proof-of-concept exploit code his team produced. The vulnerability is present in Java versions 5, 6 and 7 and would allow an attacker to remotely control an infected machine once a user landed on a malicious website hosting the exploit. Gowdiak said his proof-of-concept exploit was successfully used against a fully patched Windows 7 machine using Firefox 15.0.1, Chrome 21, IE 9, Opera 12, and Safari 5.1.7."
This discussion has been archived. No new comments can be posted.

Researcher Develops Patch For Java Zero Day In 30 Minutes More

Researcher Develops Patch For Java Zero Day In 30 Minutes

Comments Filter:

  • Code review (Score:5, Insightful)

    by danomac ( 1032160 ) on Tuesday October 23, 2012 @06:21PM (#41745977)

    They'd have to review the patch first, I doubt they'll push any patch out without testing it. At least you'd hope so...

  • The cost is rarely in coding the patch... (Score:3, Insightful)

    by Anonymous Coward on Tuesday October 23, 2012 @06:33PM (#41746097)

    It's in testing it.

  • Great, expect this in the wild in 4...3....2.... (Score:4, Insightful)

    by NinjaTekNeeks ( 817385 ) on Tuesday October 23, 2012 @06:49PM (#41746209)
    Provided to Oracle on the 19th and Oracle plans to patch it in February. This has got to be a dream come true for the bad guys, while Oracle tests the fix, they can find and start adding it to their exploit kits.

  • well... (Score:4, Insightful)

    by SuperDre ( 982372 ) on Tuesday October 23, 2012 @06:57PM (#41746269) Homepage
    writing the parch might not take a long time, testing it if it doesn't break any software out there (except exploits ofcourse) does.. a lot of times it's easy to fix stuff, but you just can't release it if it breaks a lot of stuff which is already out there, and that's where the problem lies..

  • Re:Code review (Score:5, Insightful)

    by wonkey_monkey ( 2592601 ) on Tuesday October 23, 2012 @07:02PM (#41746303) Homepage
    Exactly. The amount of time taken to write a patch is almost entirely inconsequential here. It's the time taken to ensure that the patch doesn't accidentally open 1001 other holes that matters.

    A security researcher has submitted to Oracle a patch he said took him 30 minutes to produce

    And someone at Java may have written a patch for the exploit in 1 minute six weeks ago. In terms of actual useful information this headline probably boils down to

    Researcher Develops Patch For Java Zero Day

    which isn't quite as immediately sexy.

  • Re:5 months? (Score:5, Insightful)

    by Local ID10T ( 790134 ) <ID10T.L.USER@gmail.com> on Tuesday October 23, 2012 @07:43PM (#41746573) Homepage

    Microsoft has Patch Tuesday, Oracle has Patch February...

  • Oracle hasn't in the past worked with a lot of end user software, and it shows. I get the impression Larry Ellison doesn't like the short turnaround required for desktop software updates. The out-of-band java update they released for (at least) Windows 7 a couple weeks ago was disorganized. Two support people at work managed to install separate versions on their own computers. Version 7 is actually a point update of version 6. They may be the same version, and only show differently in Control Panel. Our company uses a lot of java (and Oracle software) and it's getting difficult to keep it organized and keep Oracle products talking to other Oracle products.

    I can imagine their biggest problem is the number of platforms they have to support-- and software versions. I've learned to skim through the documentation for indications of incompatibility between versions of software before installing anything. Grumble.

Slashdot Top Deals

Prediction is very difficult, especially of the future. - Niels Bohr

Close