Oracle Java SE Critical Patch Update Advisory - October 2012

[ronjor]

Quote:

Description

A Critical Patch Update is a collection of patches for multiple security vulnerabilities. The Critical Patch Update for Java SE also includes non-security fixes. Critical Patch Updates are cumulative and each advisory describes only the security fixes added since the previous Critical Patch Update and Security Alert. Thus, prior Critical Patch Update and Security Alert advisories should be reviewed for information regarding earlier accumulated security fixes. Please refer to:

http://www.oracle.com/technetwork/to...2-1515924.html

[Mman79]

It's about time. I wish I could place bets on how quickly the patch is found to have yet another exploitable hole in it. Thanks.

Edit: I don't recall them ever sending out a patch for the very last vulnerability that was found a few weeks ago.

[Triple Helix]

Thanks Ron!

TH

[PJC]

Here, we go again...

BTW, thanks, Ron!

[Ocky]

Still not secure !

Quote:

However, talking to The H's associates at heise Security, Gowdiak said that a critical security hole that allows attackers to break out of the Java sandbox continues to exist in Java. According to the researcher, Oracle told him that the October CPU was already in its final testing phase when he reported the vulnerability. Therefore, this vulnerability and another, less critical hole will be closed at the next scheduled Java patch day on 19 February 2013.

http://www.h-online.com/security/new...e-1731176.html

[Mman79]

February...February? The smiley icons I have available to choose from here in the post can't properly reproduce the look I have on my face right now. Java security issues are making IE 6 look like Chrome.

[BoerenkoolMetWorst]

Quote:

According to the researcher, Oracle told him that the October CPU was already in its final testing phase when he reported the vulnerability. Therefore, this vulnerability and another, less critical hole will be closed at the next scheduled Java patch day on 19 February 2013.

Instead of coming to the conclusion that because the patch was already in final testing phase the vulnerability will be fixed the next patch day 4 months later they could come to the conclusion that perhaps they should make patch day monthly and create an out-of-band patch so that the hundred millions users around the world they so gladly advertise are not left vulnerable for so long..

Quote:

Originally Posted by Mman79

It's about time. I wish I could place bets on how quickly the patch is found to have yet another exploitable hole in it. Thanks.

Lol, not necessary when there still exploitable holes left unpatched.

[siljaline]

See also: http://threatpost.com/en_us/blogs/or...-update-101712

Quote:

Oracle will not patch a critical sandbox escape vulnerability in Java SE versions 5, 6 and 7 until its February Critical Patch Update, according to the researcher who discovered the flaw. Adam Gowdiak of Polish security firm Security Explorations told Threatpost via email that Oracle said it was deep into testing of another Java patch for the October CPU released yesterday and that it was too late to include the sandbox fix.

Gowdiak's team did share a technical description of the issue and source and binary codes of proof-of-concept exploit code.

Quote:

Originally Posted by Mman79

February...February? The smiley icons I have available to choose from here in the post can't properly reproduce the look I have on my face right now. Java security issues are making IE 6 look like Chrome.

EXACTLY. There's no obscene smiley icon that properly expresses the deep feelings I harbor against Java.

[Dark Shadow]

I can wait until it gets to the point that no one touches oracle Java with a barge pole and it finally Dies off,there will be No tear tears from me.