Feeds

Not done yet: Oracle to ship revised Java fix on February 19

Addresses flaws left open after February 1 patch

Seven Steps to Software Security

If at first you don't succeed, and all that... Oracle now says the emergency Java Critical Patch Update it rushed out the door on February 1 didn't fix all of the issues it had originally intended to address, and that a revised patch including fixes for the remaining flaws will ship on February 19.

February 19 had been the original date for the February patch, but Oracle opted to push it out on an accelerated schedule after discovering that exploits for some of the vulnerabilities it addressed were operating in the wild.

"As a result of the accelerated release of the Critical Patch Update, Oracle did not include a small number of fixes initially intended for inclusion in the February 2013 Critical Patch Update for Java SE," Oracle's Eric Maurice wrote in a blog post on Friday. "Oracle is therefore planning to release an updated version of the February 2013 Critical Patch Update on the initially scheduled date."

Oracle has been struggling to re-establish the credibility of its Java security patching process – particularly where the Java browser plugin is concerned – ever since August 2012, when news first emerged that Java flaws were being actively exploited by malicious websites.

At the time, researcher Adam Gowdiak of Polish startup Security Explorations said he had alerted Oracle to the vulnerabilities months earlier, but that rather than releasing patches for them, the database giant had been dragging its feet.

Under pressure from mounting public outcry, Oracle eventually issued an out-of-band emergency patch for those first-reported flaws. But mere days after it did so, still more vulnerabilities were discovered in the same code.

Since then, Oracle and hackers have played a continuous game of Whac-a-Mole as more and more flaws have popped up, with most security experts advising users simply to disable the Java plugin altogether, rather than wait for Oracle to get its security house in order.

In this latest episode, Oracle says its revised February 2013 Critical Patch Update does not alter the major fixes that were released on February 1, but will merely include the other fixes that weren't yet included in the bundle when it was released ahead of its original schedule.

Oracle did not say which fixes were next on the agenda or how critical they were, but said that it would issue a revised Critical Patch Update Advisory including all the relevant information at this location, also on February 19.

Following that release, and assuming no new crises crop up in the meantime, the next Java Critical Patch Update is due to arrive on June 18, 2013. ®

Mobile application security vulnerability report

More from The Register

next story
Yorkshire cops fail to grasp principle behind BT Fon Wi-Fi network
'Prevent people that are passing by to hook up to your network', pleads plod
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
NEW, SINISTER web tracking tech fingerprints your computer by making it draw
Have you been on YouPorn lately, perhaps? White House website?
BMW's ConnectedDrive falls over, bosses blame upgrade snafu
Traffic flows up 20% as motorway middle lanes miraculously unclog
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Attackers raid SWISS BANKS with DNS and malware bombs
'Retefe' trojan uses clever spin on old attacks to grant total control of bank accounts
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Reducing security risks from open source software
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.