We brought you news on Monday that hackers were using two big zero-day exploits in Java to install malware on victims’ PCs. Due to Oracle’s tiered update process, we won’t see a potential fix until October. As it turns out, they may not have been zero-day exploits at all. In fact, Oracle may have known about the current exploits for months.
PC World is reporting that a security firm, Security Explorations, warned Oracle about the current exploits in Java back in April. The firm published a press release on April 2 that said they found 19 weaknesses in the Java platform. On that same day, they sent a notice to Oracle containing all 19 of the vulnerabilities. Among those 19 were the two that are being used now in hacking attacks.
After receiving the notice, Oracle only patched three of the 19 reported vulnerabilities in the June update. The company sent Security Explorations a notice in August saying that they were going to fix the two currently exploited weaknesses alongside 17 other flaws in the October patch.
Of course, this brings up the question of how hackers got a hold of these weaknesses. Security Explorations says that the recent attacks exploit the flaw in a different way from their report. They don’t suspect anybody of leaking critical security information, but they aren’t ruling it out either. Somebody on the black market would probably pay a pretty penny for such exploits, but there’s nothing to suggest such a scenario.
As for now, we can only wait on Oracle for a fix. They will definitely patch the problems in October, if not sooner. It would look bad on Oracle if they waited to fix such a critical security hole though. For now, your best off just disabling the Java plugins in your browser.