Java exploit questions Oracle's security

Oracle has said “no comment” to the question I posed on when it would release a patch for a serious security hole in its Java runtime environment, that is currently being exploited.At the time of writing, there was absolutely no info or advice or the company’s security blog.

Internet users are at the mercy of Oracle as reports have emerged of a zero-day vulnerability that capable of infecting PCs that run Java within their web browsers.

The next patch scheduled for release by Oracle is 16 October. 

Java, the write once, run anywhere runtime environment is used on websites to add sophisticated interactivity. It requires a runtime download browser plug-in, and it is this plug-in that has been exploited.

Symantec said: “In our tests, we have confirmed that the zero-day vulnerability works on the latest version of Java (JRE 1.7), but it does not work on the older version JRE 1.6. A proof of concept for the exploit has been published and the vulnerability.”

The FireEye site warned: “It will be interesting to see when Oracle plans for a patch, until then most of the Java users are at the mercy of this exploit. Our investigation is not over yet; more details will be shared on a periodic basis.”

F-Secure added: There being no latest patch against this, the only solution is to totally disable Java. Since this is the most successful exploit kit + zero-day… qué horror. Please, for the love of your computer disable Java on your browser.”