In a new article in the Register (http://goo.gl/8lzRr), subtitled Emergency fix rushed out half-baked, author Neil McCallister is just a little too alarmist. The only bit of new information here is that, of the 31 vulnerabilities that Security Explorations notified Oracle of in April, there are at least 2 more unpatched that the security firm considers critical. By critical, I mean code being able to bypass the Java security sandbox.
Almost buried in the article is that these vulnerabilities are not zero-day vulnerabilities, i.e., there are no known exploits in the wild yet. I don’t think Oracle is under any obligation to get these patched immediately as long as the white hats have all kept the details under wraps. It would be nice if they did patch them, but who knows how many other critical vulnerabilities they are working on fixes for?
In fairness, this situation is the counter-argument to my conclusion in my previous blog post that quarterly scheduled updates are probably fine. Knowing that these vulnerabilities exists makes me wish that there was a monthly update, hopefully including the fix for these, coming up in September, rather than a quarterly one in October.