Not done yet: Oracle to ship revised Java fix on February 19
Addresses flaws left open after February 1 patch
Regcast training : Hyper-V 3.0, VM high availability and disaster recovery
If at first you don't succeed, and all that... Oracle now says the emergency Java Critical Patch Update it rushed out the door on February 1 didn't fix all of the issues it had originally intended to address, and that a revised patch including fixes for the remaining flaws will ship on February 19.
February 19 had been the original date for the February patch, but Oracle opted to push it out on an accelerated schedule after discovering that exploits for some of the vulnerabilities it addressed were operating in the wild.
"As a result of the accelerated release of the Critical Patch Update, Oracle did not include a small number of fixes initially intended for inclusion in the February 2013 Critical Patch Update for Java SE," Oracle's Eric Maurice wrote in a blog post on Friday. "Oracle is therefore planning to release an updated version of the February 2013 Critical Patch Update on the initially scheduled date."
Oracle has been struggling to re-establish the credibility of its Java security patching process – particularly where the Java browser plugin is concerned – ever since August 2012, when news first emerged that Java flaws were being actively exploited by malicious websites.
At the time, researcher Adam Gowdiak of Polish startup Security Explorations said he had alerted Oracle to the vulnerabilities months earlier, but that rather than releasing patches for them, the database giant had been dragging its feet.
Under pressure from mounting public outcry, Oracle eventually issued an out-of-band emergency patch for those first-reported flaws. But mere days after it did so, still more vulnerabilities were discovered in the same code.
Since then, Oracle and hackers have played a continuous game of Whac-a-Mole as more and more flaws have popped up, with most security experts advising users simply to disable the Java plugin altogether, rather than wait for Oracle to get its security house in order.
In this latest episode, Oracle says its revised February 2013 Critical Patch Update does not alter the major fixes that were released on February 1, but will merely include the other fixes that weren't yet included in the bundle when it was released ahead of its original schedule.
Oracle did not say which fixes were next on the agenda or how critical they were, but said that it would issue a revised Critical Patch Update Advisory including all the relevant information at this location, also on February 19.
Following that release, and assuming no new crises crop up in the meantime, the next Java Critical Patch Update is due to arrive on June 18, 2013. ®
COMMENTS
Reckon it's deliberate.
Gives Oracle another chance that you might forget to uncheck the feckin Ask Toolbar
Not only Java...
These days I'm going through the pain of installing and configuring - with some consultant help - Oracle's ESSO components. A trail-and-error experience, as versions are incompatible, errors are being thrown all over and matching versions between components seem to be a dark art... No meaningful error messages, no meaningful errors reported in logs, just endless stack traces...
Even though it is meant to be used on Linux, RedHat or ***Oracle*** Linux, Oracle can not take their time to provide a RPM, that would pull in all needed dependencies.
Given a choice, will NEVER use Oracle.
Re: Any chance...
Was that added recently? In my experience it just notifies the user that there is an update available, but doesnt actually install anything and is useless for Standard/limited users anyway.
IT infrastructure monitoring strategies
Agentless Backup is Not a Myth
Top 10 SIEM implementer’s checklist
Steps to Take Before Choosing a Business Continuity Partner
Requirements Checklist for Choosing a Cloud Backup and Recovery Service Provider
