Oracle fixes critical hole in Java, may have known about the issue for months
 

August 30, 2012 6:16 PM
Meghan Kelly


Oracle patched the hole in Java 7 that allows hackers to secretly download malware to your computer today in an uncharacteristic update to its software, according to Forbes.
But it seems the company knew about the issue far longer than the rest of us.
Oracle usually only pushes out updates to its Java software on a quarterly basis, and many did not expect the company to provide a patch for this hole.
Indeed, researchers suggested people who did not need to use Java should turn it off just in case.
But while the patch is a positive step toward protecting Java users, security researchers at Security Explorations are saying that they told Oracle about the issues four months ago.
The security firm released a list of all the vulnerability reports it supposedly sent to Oracle in April, as well as confirmation that the Java creator received the bug reports.
In it, Oracle says it received the report, and pushes a code update in June, but “continues to investigate” other existing issues into August.

The vulnerability in Java 7 Runtime allowed malware writers to push viruses to both PC and Mac computers since both are compatible with the software.
It reminded researchers of the Java vulnerability that enabled the Flashback virus that forced Mac users to realize that the Apple-made computers are not impervious to malware.
Exploits seen in the wild, however, only attacked PC computers, more than likely because PCs are a larger, more profitable market for hackers.

People “caught” the virus by visiting infected websites.
The malware executed a download when the webpage opened, and it did not give any signals that it was downloading other than a few people who saw a “loading” sign over a java icon pop up and disappear.

The vulnerability was even being sold as part of an exploit kit in the hacker underground market. Find the patch for the hole on Java’s website.


New Java is aviable 1. september.
Update your Java now!!!!!

Re: Oracle fixes critical hole in Java, may have known about the issue for months
 

Dont care, even though I keep getting pop ups to update with the new fix, Im not going to...

Read more about this here;

Re: Oracle fixes critical hole in Java, may have known about the issue for months
 

Don't put your trust in Oracle just yet and it's proposed patch. Seems the patch isn't patching what it's supposed to fix.

Here we go again: Critical flaw found in just-patched Java

Re: Oracle fixes critical hole in Java, may have known about the issue for months
 

You are right, & thats why Mozillza dont recommend it, is it really necessary? & what alternative would you recommend if it is.

Re: Oracle fixes critical hole in Java, may have known about the issue for months
 

Run noscript. Doesn't matter if java is patched or not, the malware can not interact with java unless you ok it.

*edit* Java is popular because it can be programmed for all OSes. Recently was an article that malware was looking at browser identification routines when you arrived at an infected site and gave you malware, dependent on what OS you were running. Mac, Linux, and Windows, all got their own version served to them.