Feeds

Not done yet: Oracle to ship revised Java fix on February 19

Addresses flaws left open after February 1 patch

Top 5 reasons to deploy VMware with Tegile

If at first you don't succeed, and all that... Oracle now says the emergency Java Critical Patch Update it rushed out the door on February 1 didn't fix all of the issues it had originally intended to address, and that a revised patch including fixes for the remaining flaws will ship on February 19.

February 19 had been the original date for the February patch, but Oracle opted to push it out on an accelerated schedule after discovering that exploits for some of the vulnerabilities it addressed were operating in the wild.

"As a result of the accelerated release of the Critical Patch Update, Oracle did not include a small number of fixes initially intended for inclusion in the February 2013 Critical Patch Update for Java SE," Oracle's Eric Maurice wrote in a blog post on Friday. "Oracle is therefore planning to release an updated version of the February 2013 Critical Patch Update on the initially scheduled date."

Oracle has been struggling to re-establish the credibility of its Java security patching process – particularly where the Java browser plugin is concerned – ever since August 2012, when news first emerged that Java flaws were being actively exploited by malicious websites.

At the time, researcher Adam Gowdiak of Polish startup Security Explorations said he had alerted Oracle to the vulnerabilities months earlier, but that rather than releasing patches for them, the database giant had been dragging its feet.

Under pressure from mounting public outcry, Oracle eventually issued an out-of-band emergency patch for those first-reported flaws. But mere days after it did so, still more vulnerabilities were discovered in the same code.

Since then, Oracle and hackers have played a continuous game of Whac-a-Mole as more and more flaws have popped up, with most security experts advising users simply to disable the Java plugin altogether, rather than wait for Oracle to get its security house in order.

In this latest episode, Oracle says its revised February 2013 Critical Patch Update does not alter the major fixes that were released on February 1, but will merely include the other fixes that weren't yet included in the bundle when it was released ahead of its original schedule.

Oracle did not say which fixes were next on the agenda or how critical they were, but said that it would issue a revised Critical Patch Update Advisory including all the relevant information at this location, also on February 19.

Following that release, and assuming no new crises crop up in the meantime, the next Java Critical Patch Update is due to arrive on June 18, 2013. ®

Beginner's guide to SSL certificates

More from The Register

next story
UK smart meters arrive in 2020. Hackers have ALREADY found a flaw
Energy summit bods warned of free energy bonanza
DRUPAL-OPCALYPSE! Devs say best assume your CMS is owned
SQLi hole was hit hard, fast, and before most admins knew it needed patching
Knock Knock tool makes a joke of Mac AV
Yes, we know Macs 'don't get viruses', but when they do this code'll spot 'em
Feds seek potential 'second Snowden' gov doc leaker – report
Hang on, Ed wasn't here when we compiled THIS document
Mozilla releases geolocating WiFi sniffer for Android
As if the civilians who never change access point passwords will ever opt out of this one
Why weasel words might not work for Whisper
CEO suspends editor but privacy questions remain
prev story

Whitepapers

Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
Simplify SSL certificate management across the enterprise
Simple steps to take control of SSL across the enterprise, and recommendations for a management platform for full visibility and single-point of control for these Certificates.