On 31/08/2012 16:22, Jess Holle wrote:
I try not to criticise Oracle or Sun too much, it kind of went from 'exploit in the wild' to 'very easily obtainable exploit'Well, don't give Oracle too much credit -- or grief.According to various articles (look them up, I didn't save the URLs), they were notified of these vulnerabilities ~4 months ago.Unfortunately several days ago serious attacks in the wild using these vulnerabilities were discovered -- after which Oracle responded rather quickly.So one can give Oracle hell for not triaging these particular vulnerabilities as needing redress far more quickly than 4 months or laud them for fixing the issue quickly once a zero-day attack was found in the wild. I'd say the reasonable response is somewhere in between and that overall most companies make some mistakes in this area (just look at some of the issue Microsoft has sat on....)
https://community.rapid7.com/community/metasploit/blog/2012/08/30/weekly-metasploit-updateI can understand them being vague about the update, but critically severe seems an appropriate description.
-- Regards, Giles Coochey, CCNA, CCNAS NetSecSpec Ltd +44 (0) 7983 877438 http://www.coochey.net http://www.netsecspec.co.uk gi...@coochey.net
smime.p7s
Description: S/MIME Cryptographic Signature