Original URL: http://www.theregister.co.uk/2010/04/15/emergency_java_patch/

Oracle releases emergency security patch for Java

Code-execution threat no more

By Dan Goodin

Posted in Security, 15th April 2010 17:25 GMT

Under criticism for not patching a critical vulnerability in its recently acquired Java virtual machine, Oracle on Thursday released an emergency update that eliminates the zero-day threat.

Functionality in the Java Web Start component made it trivial for attackers to remotely execute malicious code on end-user machines. Tavis Ormandy, one of the researchers who first discovered the threat, said he alerted Java handlers inside Oracle's Sun division, but they decided no patch was necessary before the next update release scheduled for July.

It would appear that Oracle officials had a change of heart. On early Thursday, they pushed out Java 6, update 20, which makes changes to the Java Network Launch Protocol, according to release notes. The JNLP is closely associated with Java Web Start, which makes it easy for end users to install custom libraries needed to run Java applications.

There are unconfirmed reports that the patch doesn't completely eliminate the threat, most notably in this Google translation of a report from Heise. A researcher who asked not to be named said there may be upgrade problems with the npapi plugin used by Firefox that may leave a stale version behind. Internet Explorer should be safe, however.

The out-of-cycle update is a smart move, but Oracle still has unfinished work to make Java patching more seamless. First, Java needs to stop flogging the Yahoo Toolbar each time an update is available. Patches are about security, not marketing the unwanted bloat of partners.

Another gripe we've long had about Java updates is that they reset some default settings. A case in point: If you have Java configured to check for updates daily, instead of monthly as the program does by default, you'll have to reset that preference each and every time you update. That means it could take a full 30 days to get critical security patches like the one released Thursday.

To install the patch immediately, use Java's manual update feature. In Windows, this can be done by selecting Start > Control Panel > Java > Update tab and clicking the Update Now button. And don't forget to uncheck the Yahoo installation box. ®