On Friday, August 31, 2012 10:37:34 AM UTC+2, fabrizio.giudici wrote: > > So in the end Oracle wasn't so slow this time, right? :-) >
Nope, in an isolated context, it doesn't look too bad: 22/8 - Symantec and other security companies starts to see the major culprit CVE-2012-4681 being utilized in the wild: http://www.symantec.com/connect/blogs/new-java-zero-day-vulnerability-cve-2012-4681 26/8 - FireEye is first to go public with the report of CVE-2012-4681: http://blog.fireeye.com/research/2012/08/zero-day-season-is-not-over-yet.html 27/8 - The issues becomes *very* public and various combinations makes it into malware kits: http://pastie.org/4594319 28/8 - Makes less than positive public headlines all over the world: http://www.f-secure.com/weblog/archives/00002413.html 30/8 - Oracle patches several security holes out-of-band, most of which were probably in the pipeline for October. In the grand scheme of things, it's an unfortunate fact that Java has risen to become the single biggest vector of attack. Deserved or not, these last incidences certainly don't do much to try to turn this reputation around. Oracle was originally made exclusively aware of some 19+ identified weaknesses by a security research company, back in April. Oracle pushes security updates out 3 times a year, but for some reason Oracle only fixed 3 of these issues in their June update: https://www.pcworld.com/businesscenter/article/261612/oracle_knew_about_currently_exploited_java_vulnerabilities_for_months_researcher_says.html Something must have gone wrong at the triage step, for so many vulnerabilities to be dismissed initially, only to later be combined into various severe zero-day attacks. Especially considering that, by Oracle's own records, the JRE is installed on some 3bn machines world-wide. Perhaps Oracle should revise their triage-policy and/or update-strategy if it wants to stay relevant as a desktop technology. -- You received this message because you are subscribed to the Google Groups "Java Posse" group. To view this discussion on the web visit https://groups.google.com/d/msg/javaposse/-/25a2Xmm3FRIJ. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/javaposse?hl=en.
