You know that Java exploit dotTech posted about yesterday? The one that circumvents Java’s security sandbox and lets attackers remotely install malware on infected machines via payloads delivered from booby trapped websites? Yeah, well, a tech security firm is saying it alerted Oracle to that vulnerability four months ago. In other words, Oracle might have known about the bugs a long time hackers started exploiting them.
According to PC World, Poland security firm Security Explorations informed Oracle of nineteen security vulnerabilities in Java as early as April 2012. Of those nineteen, two bugs are the ones involved in the above-mentioned Java exploit that has security researchers begging people to disable Java.
Of course without an official Oracle statement or admission of guilt it is hard to know if Oracle actually received the warnings Security Explorations sent. However, Security Explorations’ side of the story seems to hold up seeing as their website has a post dated back to April 2, 2012 that highlights the exploits in Java 7. Security Explorations claims it sent proof of concept attacks to Oracle although what they sent back in April combined the exploits differently than what is happening right now in-the-wild.
Since the Java 7 exploit was made public this week, Oracle has not commented nor has it issued any ETA on when the critical exploit will be fixed. If it turns out Oracle was indeed warned back in April about these bugs, it is highly irresponsible of Oracle to not patch the holes before the shit hit the fan. Some may even say lawsuit-worthy irresponsible.