Trusted sources have confirmed that this new update addresses the 0Day released by Google's Tavis Ormandy.
Sadly, trusted friends and security professionals shouldn't have to 'figure' out if this update fixes the issue...Sun/Oracle should be informing their paying customers - especially corporate companies.
While the release notes above indicate the update addresses several critical security issues, they made no reference to CVEs or other any meaningful references. What was fixed?
Still no official statement from Oracle/Sun on any of this...which I feel is a slap in the face to their customers (both free users of Java and the corporations that pay them millions of dollars for other products).
Perhaps they should have used some of that Iron Man 2 money to get a better public relations team - especially when dealing with active in-the-wild exploit against a publicly known vulnerabilities in their product. Freaking sad.
Big ups to Steve Manzuik & Ryan Naraine @ Threatpost.com for all their help.
-----------------------------------
UPDATE (4/16/2009 8:19PM) - It appears that Sun/Oracle as released an advisory and a blog post to spread the word on fix in Java JRE 6 Update 20. A little late, but kudos to them for trying to get the word out. Even big kudos to Sun/Oracle for fixing the bug so rapidly (~7 days)....even if it took full disclosure and active exploits to get it to the public.
No comments:
Post a Comment