Oracle will not patch a critical sandbox escape vulnerability in Java SE versions 5, 6 and 7 until its February Critical Patch Update, according to the researcher who discovered the flaw. Adam Gowdiak of Polish security firm Security Explorations told Threatpost via email that Oracle said it was deep into testing of another Java patch for the October CPU released yesterday and that it was too late to include the sandbox fix.
Gowdiak said he plans to present technical details on the flaw Nov. 14 at the Devoxx Java Community Conference in Belguim. His team did share a technical description of the issue and source and binary codes of proof-of-concept exploit code.
The vulnerability and exploit were announced in late September. Gowdiak's exploit successfully beat a fully patched Windows 7 computer running Firefox 15.0.1, Chrome 21, Internet Explorer 9, Opera 12 and Safari 5.1.7. The exploit relies on a user landing on a site hosting the exploit; an attacker would use a malicious Java applet or banner ad to drop the malware and ultimately have full remote control of a compromised machine.
Oracle did not respond to a request for comments.
Continued : https://threatpost.com/en_us/blogs/oracle-leaves-fix-java-se-zero-day-until-february-patch-update-101712
Oracle on Tuesday pushed out a bevy of security patches for its products, including an update to Java that remedies at least 30 vulnerabilities in the widely-used program.
The latest versions, Java 7 Update 9 and Java 6 Update 37, are available either through the updater built into Java (accessible from the Windows control panel), or by visiting Java.com. If you're not sure which version you have or whether you've got the program installed at all, click the "Do I have Java" link below the red download button on the Java homepage.
Broken record alert: If you need Java, update it now. Cyber thieves and malware love to use unpatched Java holes to break into systems, and miscreants are always looking for new Java exploits to use. If you don't need Java, uninstall it; you can always reinstall it later.
If you need it for a specific Web site, I'd suggest unplugging it from the browser and adopting a two-browser approach. For example, if you normally browse the Web with Firefox, for example, consider disabling the Java plugin in Firefox, and then using an alternative browser (Chrome, IE9, Safari, etc.) with Java enabled to browse only the site that requires it.
Continued : http://krebsonsecurity.com/2012/10/critical-java-patch-plugs-30-security-holes/
Stormy October patch day for Oracle
Oracle patches 109 vulnerabilities