A Polish security company says it alerted Oracle early April on a number of serious breaches affecting Java. If some were filled in June, those currently exploited to infect a machine or take control are still not deleted.
Oracle was clearly aware for several months of the existence of vulnerability in the Java interpreter. PC World website indeed indicates that a Polish security company Security Explorations, warned the US Company from April 2, indicating no less than 19 holes. Some of these gaps are now exploited by hackers to infect computers.
The release security patches, Oracle occurs every four months. The latest wave of updates occurred last June but only three vulnerabilities identified by Security Explorations have been corrected. More annoying, no loopholes currently used to take remote control of an infected machine were filled.
So that’s four months now that Oracle is aware of the situation. Does the company will publish a new emergency patch? This does not seem to be the case, despite the sending by the Polish security firm with a proof of concept with a different method to efficiently exploit gaps. So we have to wait until the next wave of patches, which is scheduled for mid-October.
The apparent lack of diligence Oracle for this problem will certainly lead to a controversy; Java is present on many computers worldwide. While waiting for a response from Oracle, which is currently illustrated by a regrettable silence, it is still possible to disable Java or uninstall completely.