

Oracle Patches Java 7 Vulnerability 58
First time accepted submitter JavaBear writes "Oracle have just released the u7 release of their Java 7. From the article: 'In response to the findings of a recent vulnerability in Java 7 that was being exploited by malware developers, Oracle has released an official patch that takes care of the problem.
In the past week, a new vulnerability was unveiled in Oracle's Java 7 runtime, which has been used by hackers in targeted attacks on Windows-based systems. Similar to the recent Flashback malware in OS X, this vulnerability allows criminals to create a drive-by hack where the only action needed to compromise a system is to visit a rogue Web page that hosts a malicious Java applet."
Too little too late (Score:5, Interesting)
I killed Java 7 on Monday at my work. I won't bring it back any time soon. Oracle, in case you care this is how you messed this up royally:
1. You sat on this since April. /remove/ your product.
2. Exploits have been in the wild since last weekend and you didn't even acknowledge it until today.
3. The community was left to fend for themselves, and the only way to fend for themselves was to
This is how you should have had handled this:
1. You should have patched this during your normal patch release cycle that you had since April.
2. You should have immediately acknowledged the exploit.
3. You should have immediately acknowledged the breadth of the exploit.
4. A very simple note on your blog to the affect of "were working on this, expect something shortly" would have made all the difference.
As a result of your failure to take security half as seriously as Microsoft (I never could have imagined I would say that 10 years ago), I spent the first have of my week testing an emergency uninstall package of Java for multiple platforms. After getting it approved through an ECAB and rushing it into production - since I had no idea when you were going to release a patch I uninstalled Java 7 system wide at a very large institution this week.
After my emergency uninstall went into production it came up in a meeting with management today that an out of band patch got released today. At this point my response to management was simple, "too late". No one questioned my decision and Java 7 is now gone.
Learn from this Oracle, learn from this, you royally fucked this up.
Also Java 6 u35 (Apparently) (Score:3, Interesting)
Re:sweet (Score:5, Interesting)
Source of revenue: patches with crapware (Score:3, Interesting)