Security Explorations researchers demonstrate how easy it is to address the vulnerability
Security Explorations – the company that identified a vulnerability which affected Java SE 5, 6 and 7 (dubbed Issue 50) – claims that Oracle could have a fix for the problem in no time. To demonstrate their point, the experts have made a clever experiment.Last week, Oracle released its October Critical Patch Updates (CPUs), but the company has failed to address the Java SE security hole.
Oracle motivated the decision to fix the bug only with the February 2013 CPU by stating that it took time to perform all the integration testing to ensure that other products such as JRockit, Weblogic Server and E-Business Suite were not affected in any way.
Since the Java SE security sandbox bypass bug was reported to them only less than one month before the release of the October CPU, Oracle feared that the implementation of the fix would delay the delivery of the other patches.
On the other hand, the experiment performed by the security researchers shows that the issue could be addressed in as little as 30 minutes, not 4-5 months.
In an email to Softpedia, Adam Gowdiak, the CEO of Security Explorations, revealed that “a fix for Issue 50 can be implemented within half an hour time (start time 22:37 is the time of the OpenJDK 7 source code tarball download, end time 23:03 is the time of the ‘application’ of the fix to JRE 7 installation directory).”
Furthermore, he claims that only 25 characters of source code need to be modified to implement the fix, and there’s no need to perform integration testing since the “code logic” is unchanged, and the minor changes that have been applied cannot influence external applications.
“We hope our quick experiment sufficiently challenges the company and that it leads to the verification of Oracle's stance, especially the one relying on a need for four additional months to implement and release a security update for a critical security issue in Java (Issue 50), which we believe can be addressed within less than 30 min,” Gowdiak added.