Oracle to bulk up Java update on 19 February
Oracle has announced it will still be releasing Java updates on 19 February. At the start of February, the company said it had brought forward patches it had planned to release on the 19 February, the date set aside for a Java "Critical Patch Update" release, after it had discovered one or more of the vulnerabilities was being exploited in the wild. According to the latest announcement, a "small number of fixes" did not make it into the early release. For that reason, they will be publishing an update to the 1 February release and offering an updated advisory.
Oracle's Java problems are far from over, though. As well as the day-to-day attacks on its Java applet plugin, there is also the problem of old versions of Java floating around. Security blogger Brian Krebs found a particularly egregious example in the shape of Yahoo's SiteBuilder package. Users who want to use Yahoo's hosting services are directed to use the SiteBuilder software to make their site – SiteBuilder requires Java to run, so Yahoo bundles a Java runtime with it. The bundled Java is Java 6 Update 7, a version that dates back to the summer of 2008; Oracle's last update included Java 6 Update 39. This is most likely only the first of many software packages to be found bundling antique, vulnerable versions of Java.
Update - In response to his article, Yahoo has now told Brian Krebs that it has updated SiteBuilder to include Java 6 Update 39 and says it plans an update to Java 7.