Oracle Patches Java Zero Day Vulnerability but Is It Enough?


Over the past few months, Java has earned itself the reputation of ‘vulnerable’ as the most of the recent Java updates are vulnerable to exploits in one or other ways. Earlier last week, another vulnerability was discovered that was being widely exploited online, as it was included in several crime kits, including Blackhole and Cool Exploit.

Following the discovery of this exploit, Oracle released a patch to fix the issue, the way it always does. But the irony is that, experts are doubtful about its effectiveness:

“This fix is available now as Java 7u11 and anyone who uses Java in their browser should update immediately,” Ross Barrett, Senior Manager of Security Engineering at Rapid7 said in an emailed statement. “This fix also changes the default Java browser security settings to require user consent to execute Java applets which are not digitally signed, or are self-signed. This indicates that Oracle has made a minor concession against ease-of-use to try to protect users from the *next* time a Java vulnerability is exploited in the wild.”

Just like most Java vulnerabilities, this one too opens the floodgates for attackers because Java itself is cross-platform. Thus, with a little work, the same vulnerability can be used to target Windows systems, Mac OS X, and Linux at the same time.

Back in August last year, Oracle issued an urgent fix to seal a dangerous security flaw within its Java software that’s left thousands of computers wide open to malicious attacks from hackers. But what’s bad about this is that despite several experts warning users to “disable Java immediately”, the security patch was released in a very low-key manner, with nothing more than an obscure post made to the notes section of its website, with no press release or no big announcement to the media.

So, with so many uncertainties surrounding Java, we again recommend that those who don’t need the software uninstall it from their system now, or at least do it carefully.