Oracle emergency Java patch delights and confuses

Stung by yesterday's criticism of its tardyness in patching critical vulnerabilities in Java, Oracle (NASDAQ:ORCL) issues an out-of-cycle update. But questions remain.

In IT Blogwatch, bloggers shake their heads.

happy-now.jpg

By Richi Jennings: Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: TBA...

Tony Bradley is slightly sarcastic:

Oracle issued a patch today for Java 7...[but] its anyone’s guess whether [it] addresses the zero-day exploits.

...

[It] would probably be catastrophic for Oracle to wait...to produce a patch...[but] the release notes do not contain even the most basic information...and the link to the CVE (vulnerability)...just points to a blank Web page.

...

Regardless, there’s an update for Java that you should probably apply. ... It probably fixes the flaws that Oracle has known about since April.

...

[Oracle] needs to [patch faster] and it needs to significantly improve its communications.  MORE

And Rachel King adds:

[It's] intended to [fix] three "distinct but related vulnerabilities" [and] another serious security issue...[which] could be used to exploit personal data and accessibility of the user's system.

...

Security Explorations [says] Oracle knew about these vulnerabilities for months.

...

Despite brewing criticism [of Oracle] the patches are available now, so don't delay.  MORE

But Oracle's Eric P. Maurice tries not to apologize:

Oracle has just released Security Alert CVE-2012-4681.

...

Due to the high severity...Oracle recommends that customers apply this Security Alert as soon as possible. ...the technical details of these vulnerabilities are widely available...and Oracle has received external reports that these vulnerabilities are being actively exploited.  MORE

Think the exploit couldn't happen to you? Think again, says Paul Baccas:

...cybercriminals have taken advantage of the critical zero-day...in Java, sending out malicious email. ...users who click on links contained inside the email...risk instantly infecting their computers.

...

[It links to] an obfuscated script that attempts to load an applet...which exploits the current Java zero-day vulnerability.

...

[Don't] be complacent about the threat.  MORE

Meanwhile, a clearly exasperated Felix Aurelius comments sarcastically:

I just heard...thousands of heads hitting their desks in exasperation and rage all at once. How odd...

...

I can understand a suit not getting the seriousness...but why did Oracle's engineers not even address it in some way? ...shouldn't it have been possible to prevent this exploit...by publishing a security bulletin with temporary fixes...until the code could be patched?  MORE
Related:
  
Shop Tech Products at Amazon