Learn How a Virtual Networking Approach Can Strengthen the Security of Federal Networks REGISTER >
"Security Explorations sent a report about the vulnerability to Oracle on Friday together with a proof-of-concept exploit, Adam Gowdiak, the security company's founder and CEO said Friday via email," writes PCWorld's Lucian Constantin. "The company doesn't plan to release any technical details about the vulnerability publicly until Oracle addresses it, Gowdiak said."
"Oracle has not acknowledged that the new vulnerability actually exists, but it has confirmed that it has received Security Explorations' vulnerability report and is analyzing it," writes The Register's Neil McAllister. "Assuming Oracle does agree that the flaw exists, however, when it will be patched is anybody's guess. The next scheduled Java Critical Patch Update (CPU) isn't due until October 16 -- and when Oracle released its last Java CPU in June, it had only patched two of the 31 flaws Security Explorations reported in April."
"These latest developments serve as a warning against using Java when not needed and also prematurely updating Java," writes CNET News' Topher Kessler. "Java 7 is still very early in its development, being only the seventh release so far, whereas prior runtimes have received over 30 updates to patch and manage vulnerabilities. As a result, if you need Java then you might consider installing a prior runtime version that has been well-tested, but if you do not need Java then you might consider avoiding installing it or removing it from your system if it is already installed."