Oracle Patches Java 7 Vulnerability

First time accepted submitter JavaBear writes "Oracle have just released the u7 release of their Java 7. From the article: 'In response to the findings of a recent vulnerability in Java 7 that was being exploited by malware developers, Oracle has released an official patch that takes care of the problem. In the past week, a new vulnerability was unveiled in Oracle's Java 7 runtime, which has been used by hackers in targeted attacks on Windows-based systems. Similar to the recent Flashback malware in OS X, this vulnerability allows criminals to create a drive-by hack where the only action needed to compromise a system is to visit a rogue Web page that hosts a malicious Java applet."

Too little too late

[onyxruby]

I killed Java 7 on Monday at my work. I won't bring it back any time soon. Oracle, in case you care this is how you messed this up royally:

1. You sat on this since April.
2. Exploits have been in the wild since last weekend and you didn't even acknowledge it until today.
3. The community was left to fend for themselves, and the only way to fend for themselves was to /remove/ your product.

This is how you should have had handled this:
1. You should have patched this during your normal patch release cycle that you had since April.
2. You should have immediately acknowledged the exploit.
3. You should have immediately acknowledged the breadth of the exploit.
4. A very simple note on your blog to the affect of "were working on this, expect something shortly" would have made all the difference.

As a result of your failure to take security half as seriously as Microsoft (I never could have imagined I would say that 10 years ago), I spent the first have of my week testing an emergency uninstall package of Java for multiple platforms. After getting it approved through an ECAB and rushing it into production - since I had no idea when you were going to release a patch I uninstalled Java 7 system wide at a very large institution this week.

After my emergency uninstall went into production it came up in a meeting with management today that an out of band patch got released today. At this point my response to management was simple, "too late". No one questioned my decision and Java 7 is now gone.

Learn from this Oracle, learn from this, you royally fucked this up.

Also Java 6 u35 (Apparently)

[AlienSexist]

Coincidentally Java 6 update 35 was also released at the same time. The release notes cite a security fix. All CVE [nist.gov] entries and info I could find only describe this issue as a Java 7 vulnerability. I had not see any confirmation yet that it also applied to Java 6 other than the brand new update [oracle.com].

Re:sweet

[qubezz]

I'll call them scum for attempting to foist the Ask Toolbar on us again for a security update.

Source of revenue: patches with crapware

[bitflusher]

The thing on my mind is, how much does Oracle earn with a patch release. The ask toolbar crapware is installed by default and people hitting "next next next" will be infected. Only by installing this with care you will not get the ask toolbar. I know they are not alone in this (adobe wants to install the crome browser as default AND the google toolbar for IE, talk about redundancy) but they incorporate it in all updates..