Security Explorations Says More Critical Java Vulnerabilities Left Unpatched in Latest Update

In a new article in the Register (http://goo.gl/8lzRr), subtitled Emergency fix rushed out half-baked, author Neil McCallister is just a little too alarmist. The only bit of new information here is that, of the 31 vulnerabilities that Security Explorations notified Oracle of in April, there are at least 2 more unpatched that the security firm considers critical. By critical, I mean code being able to bypass the Java security sandbox.

Almost buried in the article is that these vulnerabilities are not zero-day vulnerabilities, i.e., there are no known exploits in the wild yet. I don’t think Oracle is under any obligation to get these patched immediately as long as the white hats have all kept the details under wraps. It would be nice if they did patch them, but who knows how many other critical vulnerabilities they are working on fixes for?

In fairness, this situation is the counter-argument to my conclusion in my previous blog post that quarterly scheduled updates are probably fine. Knowing that these vulnerabilities exists makes me wish that there was a monthly update, hopefully including the fix for these, coming up in September, rather than a quarterly one in October.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s