Security researcher experiments with patching Java
With Oracle planning to wait until next February, security researcher Adam Gowdiak decided to take matters into his own hands by developing a patch for a critical security vulnerability he had discovered in Java. He has posted a report on his efforts to security mailing list Full Disclosure. However, the patch is not intended for publication – for one thing this would give away details of the vulnerability, which the researcher has kept under wraps so far. Instead, Gowdiak hopes that his experiment will prompt Oracle to speed up its process for releasing official patches.
Gowdial informed Oracle of the critical vulnerability in late September. It potentially enables an attacker to use a specially crafted applet to access assets on a system with user privileges. He was, however, just too late for the company's October patch day. Oracle informed Gowdiak that it was already in the final stages of testing its October patches and that any patch would have to be held over until the next critical patch update (CPU), scheduled for 19 February 2013.
In order to estimate the amount of work involved, the security researcher then decided to develop a patch himself and found that fixing the vulnerability required changing just 25 characters of code. This took him all of 30 minutes. According to Gowdiak, the patch has no discernable effect on the code logic, rendering extensive integration tests to check its effect on other programs superfluous.
It may be that Oracle is in no great hurry to fix the problem because details of the vulnerability have not yet been made public. The case has echoes of a similar vulnerability which was being exploited by cyber criminals in August, despite having been discovered and reported to Oracle by Gowdiak several months previously.