The respected technical website is reporting that the current issue with Java – is due to an incomplete patching of an earlier problem.
arstechnica.com is says that: Adam Gowdiak of Poland-based Security Explorations, claims the latest vulnerability is a remnant of a bug (referred to here as Issue 32) that Security Explorations researchers reported to Oracle in late August of 2012. Oracle released a patch for the issue in October but it was incomplete, he said in an e-mail to Ars that was later published to the Bugtraq mailing list.
If true, this is a serious blow to Oracle, who maintains and releases the Java software – this code is resident on more than 1 Billion PCs around the world and the revelation that Oracle may not have fully patches an earlier known exploit could cause ripples for the software giant for some time to come – it certainly doesn’t look good if a half-baked patch was release whereby users were left in a “known-bad” state of software security.
Ars reached out to Oracle – but no response was received thus far.
We particlularly like the quote from Gowdiak:
“Bugs are like mushrooms, in many cases they can be found in a close proximity to those already spotted,” Gowdiak wrote. “It looks like Oracle either stopped the picking too early or they are still deep in the woods.”
Even though Oracle supposedly patched this vulnerability in October – some issues highlighted in the bug-report were still present in this current exploit – combined with another privileged code execution bug and we have sort of a “perfect storm” – the Java Exploit has been widely distributed to malware using cybercriminals using the Metasploit framework for hackers – both blackhat and whitehat.