Feeds

Not done yet: Oracle to ship revised Java fix on February 19

Addresses flaws left open after February 1 patch

The Essential Guide to IT Transformation

If at first you don't succeed, and all that... Oracle now says the emergency Java Critical Patch Update it rushed out the door on February 1 didn't fix all of the issues it had originally intended to address, and that a revised patch including fixes for the remaining flaws will ship on February 19.

February 19 had been the original date for the February patch, but Oracle opted to push it out on an accelerated schedule after discovering that exploits for some of the vulnerabilities it addressed were operating in the wild.

"As a result of the accelerated release of the Critical Patch Update, Oracle did not include a small number of fixes initially intended for inclusion in the February 2013 Critical Patch Update for Java SE," Oracle's Eric Maurice wrote in a blog post on Friday. "Oracle is therefore planning to release an updated version of the February 2013 Critical Patch Update on the initially scheduled date."

Oracle has been struggling to re-establish the credibility of its Java security patching process – particularly where the Java browser plugin is concerned – ever since August 2012, when news first emerged that Java flaws were being actively exploited by malicious websites.

At the time, researcher Adam Gowdiak of Polish startup Security Explorations said he had alerted Oracle to the vulnerabilities months earlier, but that rather than releasing patches for them, the database giant had been dragging its feet.

Under pressure from mounting public outcry, Oracle eventually issued an out-of-band emergency patch for those first-reported flaws. But mere days after it did so, still more vulnerabilities were discovered in the same code.

Since then, Oracle and hackers have played a continuous game of Whac-a-Mole as more and more flaws have popped up, with most security experts advising users simply to disable the Java plugin altogether, rather than wait for Oracle to get its security house in order.

In this latest episode, Oracle says its revised February 2013 Critical Patch Update does not alter the major fixes that were released on February 1, but will merely include the other fixes that weren't yet included in the bundle when it was released ahead of its original schedule.

Oracle did not say which fixes were next on the agenda or how critical they were, but said that it would issue a revised Critical Patch Update Advisory including all the relevant information at this location, also on February 19.

Following that release, and assuming no new crises crop up in the meantime, the next Java Critical Patch Update is due to arrive on June 18, 2013. ®

Build a business case: developing custom apps

More from The Register

next story
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
'Things' on the Internet-of-things have 25 vulnerabilities apiece
Leaking sprinklers, overheated thermostats and picked locks all online
iWallet: No BONKING PLEASE, we're Apple
BLE-ding iPhones, not NFC bonkers, will drive trend - marketeers
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Secure microkernel that uses maths to be 'bug free' goes open source
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
Tor attack nodes RIPPED MASKS off users for 6 MONTHS
Traffic confirmation attack bared users' privates - but to whom?
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Backing up Big Data
Solving backup challenges and “protect everything from everywhere,” as we move into the era of big data management and the adoption of BYOD.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.