Oracle knew of Java vulnerabilities says researcher

Oracle apparently found out four months ago about the critical Java vulnerability that is already being actively exploited for attacks – but has yet to take action. Researcher Adam Gowdiak posted to the Bugtraq security mailing list that his company Security Explorations discovered a number of vulnerabilities in Java during a research project and confidentially reported them to Oracle last April. Two of the vulnerabilities reported, he writes, are the ones that the recent exploit is using to turn off Java's sandbox.

Gowdiak says that he even demonstrated to Oracle how the sandbox can be turned off with a proof of concept. Gowdiak most recently received a status report from the company on 23 August stating that 19 of the 25 unpatched vulnerabilities had already been closed internally in the source code, including the two that are currently being actively exploited. The plan is apparently to include these changes, at the earliest, in the next Critical Patch Update (CPU) for the downloadable version of Java on 16 October.

However, Oracle has still not released a public statement about the latest developments, nor has the company responded to the request for more information that they were sent earlier this week. There is absolutely no information on when a patch will be released, and the vulnerable Java 7 update 6 is still available for download without so much as a security warning.

Users who have installed Java should deactivate the Java plugin in their browser immediately, at least until Oracle provides a patch. Consult a recent article to find out how to deactivate Java, and to test whether it has been disabled, consult The H's BrowserCheck page, where you can also see right away whether it has really been turned off.

See also:

• The new Java 0day examined, a feature from The H.
• The H Update Check closes because of vulnerability, a report from The H.
  

(djwm)