Feeds

Not done yet: Oracle to ship revised Java fix on February 19

Addresses flaws left open after February 1 patch

The Power of One eBook: Top reasons to choose HP BladeSystem

If at first you don't succeed, and all that... Oracle now says the emergency Java Critical Patch Update it rushed out the door on February 1 didn't fix all of the issues it had originally intended to address, and that a revised patch including fixes for the remaining flaws will ship on February 19.

February 19 had been the original date for the February patch, but Oracle opted to push it out on an accelerated schedule after discovering that exploits for some of the vulnerabilities it addressed were operating in the wild.

"As a result of the accelerated release of the Critical Patch Update, Oracle did not include a small number of fixes initially intended for inclusion in the February 2013 Critical Patch Update for Java SE," Oracle's Eric Maurice wrote in a blog post on Friday. "Oracle is therefore planning to release an updated version of the February 2013 Critical Patch Update on the initially scheduled date."

Oracle has been struggling to re-establish the credibility of its Java security patching process – particularly where the Java browser plugin is concerned – ever since August 2012, when news first emerged that Java flaws were being actively exploited by malicious websites.

At the time, researcher Adam Gowdiak of Polish startup Security Explorations said he had alerted Oracle to the vulnerabilities months earlier, but that rather than releasing patches for them, the database giant had been dragging its feet.

Under pressure from mounting public outcry, Oracle eventually issued an out-of-band emergency patch for those first-reported flaws. But mere days after it did so, still more vulnerabilities were discovered in the same code.

Since then, Oracle and hackers have played a continuous game of Whac-a-Mole as more and more flaws have popped up, with most security experts advising users simply to disable the Java plugin altogether, rather than wait for Oracle to get its security house in order.

In this latest episode, Oracle says its revised February 2013 Critical Patch Update does not alter the major fixes that were released on February 1, but will merely include the other fixes that weren't yet included in the bundle when it was released ahead of its original schedule.

Oracle did not say which fixes were next on the agenda or how critical they were, but said that it would issue a revised Critical Patch Update Advisory including all the relevant information at this location, also on February 19.

Following that release, and assuming no new crises crop up in the meantime, the next Java Critical Patch Update is due to arrive on June 18, 2013. ®

Designing a Defense for Mobile Applications

More from The Register

next story
Secure microkernel that uses maths to be 'bug free' goes open source
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
Four fake Google haxbots hit YOUR WEBSITE every day
Goog the perfect ruse to slip into SEO orfice
Putin: Crack Tor for me and I'll make you a MILLIONAIRE
Russian Interior Ministry offers big pile o' roubles for busting pro-privacy browser
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Seven Steps to Software Security
Seven practical steps you can begin to take today to secure your applications and prevent the damages a successful cyber-attack can cause.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.