Security Advisor

Java Flaw Found, Flaw Fixed, Flaw Found in Fix

It's been a tough week and a half for Oracle and its Java crew.

Let's recap Java's last 10 or so days:

  • August 27: Security firm FireEye releases info on a zero-day flaw that is actively loading up targeted victims with malware. With no word from Oracle, experts say disabling the Java plugin is your best defense.
  • August 30: Oracle releases an out-of-band fix in the form of Java Version 7 Update 7, which targets the zero-day flaw and two other vulnerabilities.
  • September 1-3: Researchers warn that a phishing scam involving the zero-day exploit is sneaking onto systems, masked as an official Microsoft e-mail.  
  • September 4: News surfaces that a Polish security firm has already notified Oracle that their latest update contains another flaw.

Ouch, what a tough week for the Java scribes. Especially since some of it is out of Oracle's control. As someone with the byline for all of these stories, I got a couple of observations.

First, let's look at the fake e-mail scam: Seeing as researchers saw these Microsoft posers start showing up after a patch was released, wouldn't it mean those attackers behind it are wasting their time? Nope.

According to a report that I discussed here in April, we really suck at updating our Java. Only 38 percent update to the latest version -- and it takes six months after a release to hit that percentage. So by that standard, I'm estimating only about seven of you upgraded your Java since the latest release. That means there are still a huge number of lazy, unpatched fools for these attackers to target.

Second observation: How does a software firm balance the act of releasing a much-needed fix in a timely manner with maintaining a level of quality assurance that catches issues before they shut the door?

Oracle could have just waited until its quarterly update release (expected sometime in the next month and a half or so) to make sure that the fix doesn't tear any new holes. But then users would be stuck with only one "solution": don't use Java.

So, I'm assuming that the head honchos at Oracle didn't want to leave customers high and dry, so out pops an undercooked patch. But if I was Oracle (and last time I checked, I am not) and I read that same report that I referenced above, it might be worth the extra time to make sure the update is 100 percent before shipping out. Whether it came out last week or next month, it doesn't matter. We won't be updating any time soon anyway...

About the Author

Chris Paoli is the site producer for and


  • What Money in Excel Means for the Future of Microsoft 365 Apps

    Microsoft's new personal finance tool hints at what's in store for next-generation Office applications, from more third-party integrations to subscription requirements.

  • Microsoft Buys Orions Systems To Enhance Vision AI Capabilities in Dynamics 365

    Microsoft announced on Tuesday that it has acquired Orions Systems with the aim of enhancing Dynamics 365 capabilities, as well as the Microsoft Power Platform.

  • Microsoft Hires Movial To Build Android OS for Microsoft Devices

    Microsoft has hired the Romanian operations of software engineering and design services company Movial to develop an Android-based operating system solution for the Microsoft Devices business segment.

  • Microsoft Ending Workflows for SharePoint 2010 Online Next Month

    Microsoft on Monday gave notice that it will be ending support this year for the "workflows" component of SharePoint 2010 Online, as well as deprecating that component for SharePoint 2013 Online.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.