Security Advisor

Java Flaw Found, Flaw Fixed, Flaw Found in Fix

It's been a tough week and a half for Oracle and its Java crew.

Let's recap Java's last 10 or so days:

  • August 27: Security firm FireEye releases info on a zero-day flaw that is actively loading up targeted victims with malware. With no word from Oracle, experts say disabling the Java plugin is your best defense.
  • August 30: Oracle releases an out-of-band fix in the form of Java Version 7 Update 7, which targets the zero-day flaw and two other vulnerabilities.
  • September 1-3: Researchers warn that a phishing scam involving the zero-day exploit is sneaking onto systems, masked as an official Microsoft e-mail.  
  • September 4: News surfaces that a Polish security firm has already notified Oracle that their latest update contains another flaw.

Ouch, what a tough week for the Java scribes. Especially since some of it is out of Oracle's control. As someone with the byline for all of these stories, I got a couple of observations.

First, let's look at the fake e-mail scam: Seeing as researchers saw these Microsoft posers start showing up after a patch was released, wouldn't it mean those attackers behind it are wasting their time? Nope.

According to a report that I discussed here in April, we really suck at updating our Java. Only 38 percent update to the latest version -- and it takes six months after a release to hit that percentage. So by that standard, I'm estimating only about seven of you upgraded your Java since the latest release. That means there are still a huge number of lazy, unpatched fools for these attackers to target.

Second observation: How does a software firm balance the act of releasing a much-needed fix in a timely manner with maintaining a level of quality assurance that catches issues before they shut the door?

Oracle could have just waited until its quarterly update release (expected sometime in the next month and a half or so) to make sure that the fix doesn't tear any new holes. But then users would be stuck with only one "solution": don't use Java.

So, I'm assuming that the head honchos at Oracle didn't want to leave customers high and dry, so out pops an undercooked patch. But if I was Oracle (and last time I checked, I am not) and I read that same report that I referenced above, it might be worth the extra time to make sure the update is 100 percent before shipping out. Whether it came out last week or next month, it doesn't matter. We won't be updating any time soon anyway...

About the Author

Chris Paoli is the site producer for and


  • First Chromium-Based Edge Browser Beta Release Now Available

    Microsoft Edge Insider Program participants now have access to the Beta Channel release of Microsoft's Chromium-based Edge Web browser on the Windows and Mac platforms.

  • Microsoft Planning To Answer Windows Virtual Desktop Questions Next Week

    Microsoft has set aside time to answer questions about its emerging Windows Virtual Desktop service on Wednesday of next week, according to an announcement.

  • With EPYC Rome Chips, AMD Could Eclipse Intel in Datacenter

    AMD's high-profile EPYC 7002 launch has datacenter analysts wondering if the end of Intel's long reign is nigh.

  • Microsoft Buys jClarity for Azure-Based Java Workloads

    In a bid to support its "continued contributions to open source while driving increased performance for Java workloads on Azure," Microsoft on Monday announced its acquisition of jClarity.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.