Oracle discloses new zero day exploit and launches JDK for Mac OS X

Filed Under: Apple, Featured, Java, Oracle, OS X, Vulnerability

Oracle Database logoWhile some might find it amusing that a company accidentally disclosed a zero day vulnerability in its own software, you won't if you are a Oracle database administrator.

Earlier this month Oracle released a "critical patch update" fixing 88 vulnerabilities in its wide assortment of database products.

Unfortunately one of the fixes for its TNS Listener service had stability issues and is only going to be fixed in future versions.

Still Oracle saw fit to say it was fixed, even though they have no intention of releasing a patch for it and all current versions remain vulnerable.

This sounds bad enough, but it gets worse. Joxean Koret, who discovered and disclosed the vulnerability to Oracle in 2008 saw the notice that the flaw was fixed and published a proof-of-concept exploit to the Full Disclosure mailing list.

Oracle isn't exactly known for getting security right, but this is downright reckless. Taking four years to fix a serious vulnerability, and even then only committing that future releases, to be named, will fix it?

If you are responsible for securing Oracle DBs I would highly recommend creating extremely restrictive firewall rules for the TNS Listener service, or disable it entirely if it isn't needed in your environment.

Oracle Java logoIn other Oracle news, the Java JDK is now available for OS X Lion (10.7).

For Java neophytes, this is not the Java Plugin/Java Web Start components that integrate with your browser to allow you to launch Java applets.

It only works with 64 bit versions of Lion and is intended for development use. Earlier versions of OS X will not see a port coming from Oracle either.

This might be an indication that Oracle intends to supply their own JRE/Java Plugin/Web Start for Mac users in the future, which would make it easier for OS X users to stay current without relying on Apple.

, , , , , , ,

You might like

2 Responses to Oracle discloses new zero day exploit and launches JDK for Mac OS X

  1. As someone pointed out on the Internet Storm Center post, the "Oracle Security Alert for CVE-2012-1675" looks more like workaround suggestions.

  2. Joxean Koret · 900 days ago

    The CVE alert is just an alert with official workarounds. No patch have been released.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski, on App.net as Chester, Chester Wisniewski on Google Plus or send him an email at chesterw@sophos.com.