IT Brief New Zealand - Technology news for CIOs & IT decision-makers
Story image
Oracle preparing Java statement in wake of accusations
Thu, 30th Aug 2012
FYI, this story is more than a year old

Oracle is expected to comment on the Java software security breach as researchers claim they knew about vulnerabilities since April.

The Java software security scare caused many industry experts to urge users to disable the software in their browsers after becoming open to indefensible hacker attacks.

Oracle initially declined to comment on the security scare but a spokesperson for the company believes advice is on the way as security researchers claim the company knew since April about the existence of two unlatched Java 7 vulnerabilities.

According to Computer World, Adam Gowdiak, the founder and CEO of Polish security firm Security Explorations, says Oracle knew of the problems after his company reported 19 Java 7n security issues on April 2 this year.

The company says it continued to report Java 7 vulnerabilities in the following months with the total number reaching 29.

"We demonstrated 16 full Java SE 7 sandbox compromises with the use of our bugs," Gowdiak says.

"Although we stay in touch with Oracle and the communication process has been quite flawless so far, we don't know why Oracle left so many serious bugs for the Oct. CPU."

The widely installed free software from Oracle opens computers to security threats which experts say are impossible to combat.

While Oracle has yet to comment on the security breach, warnings from Rapid 7, AlienVault and other online security companies advised users to immediately disable Java software with the system currently sitting on 97% of enterprise desktops.

Experts say a flaw in the latest version of Java is allowing a second piece of software called ‘Poison Ivy’ to let hackers gain control of an infected computer and form an attack.

"If exploited, the attacker will be able to perform any action the victim can perform on the victim's machine," said Tod Beardsley, engineering manager Rapid 7.

Computers can get infected without their users' knowledge through visiting any website which has been compromised by hackers.

Rapid7 has set up a web page informing users of the risks.