Polish firm Security Explorations and its CEO Adam Gowdiak continue to be the a thorn in Oracle’s side by repeatedly questioning the giant’s decision not to issue an out-of-band patch for a critical Java flaw in Java SE (Standard Edition) 5, 6 and 7.
According to their research, the vulnerability could allow attackers to bypass the security sandbox in those three versions of Java, which are currently installed on nearly a billion of machines around the world.
The flaw was reported by the firm a few weeks before the scheduled October 16 Java Critical Patch Update but, according to Oracle, creating a patch for it and testing it would have seriously delayed the update, so Oracle chose to leave it for the next one, which is scheduled for February 2013.
Security Explorations had to accept the answer, but were obviously not resigned to take it at face value, as Gowdiak revealed in his Monday post on the Full Disclosure mailing list.
Taking into consideration that the Oracle Critical Patch Updates goes through an extensive integration testing with other products such as JRockit, Weblogic Server, and E-Business Suite, Gowdiak and his team tried to conduct a “small Vulnerability Fix Experiment”.
They discovered that the fix can be implemented within half an hour time, that only 25 characters in the source code needed to be changed in order to implement it, and that the fix does not seem to require any integration tests with other Oracle application software, as the code logic had not been changed at all and would not influence 3rd party applications.
“We provided Oracle corporation with the results of our analysis on Oct 19, 2012,” concludes Gowdiak. “We hope our quick experiment sufficiently challenges the company and that it leads to the verification of Oracle’s stance, especially the one relying on a need for four additional months to implement and release a security update for a critical security issue in Java (Issue 50), which we believe (and are hopefully correct with respect to the analysis conducted) can be addressed within less than 30 min.”
I guess the ball is in Oracle’s court now.