Skip to main content

Oracle fixes critical hole in Java, may have known about the issue for months

Oracle patched the hole in Java 7 that allows hackers to secretly download malware to your computer today, in an uncharacteristic update to its software. But it seems the company knew about the issue far longer than the rest of us.

Join us in Atlanta on April 10th and explore the landscape of security workforce. We will explore the vision, benefits, and use cases of AI for security teams. Request an invite here.


Oracle Headquarters

Oracle patched the hole in Java 7 that allows hackers to secretly download malware to your computer today in an uncharacteristic update to its software, according to Forbes. But it seems the company knew about the issue far longer than the rest of us.

Oracle usually only pushes out updates to its Java software on a quarterly basis, and many did not expect the company to provide a patch for this hole. Indeed, researchers suggested people who did not need to use Java should turn it off just in case. But while the patch is a positive step toward protecting Java users, security researchers at Security Explorations are saying that they told Oracle about the issues four months ago.

The security firm released a list of all the vulnerability reports it supposedly sent to Oracle in April, as well as confirmation that the Java creator received the bug reports. In it, Oracle says it received the report, and pushes a code update in June, but “continues to investigate” other existing issues into August.

VB Event

The AI Impact Tour – Atlanta

Continuing our tour, we’re headed to Atlanta for the AI Impact Tour stop on April 10th. This exclusive, invite-only event, in partnership with Microsoft, will feature discussions on how generative AI is transforming the security workforce. Space is limited, so request an invite today.
Request an invite

The vulnerability in Java 7 Runtime allowed malware writers to push viruses to both PC and Mac computers since both are compatible with the software. It reminded researchers of the Java vulnerability that enabled the Flashback virus that forced Mac users to realize that the Apple-made computers are not impervious to malware. Exploits seen in the wild, however, only attacked PC computers, more than likely because PCs are a larger, more profitable market for hackers.

People “caught” the virus by visiting infected websites. The malware executed a download when the webpage opened, and it did not give any signals that it was downloading other than a few people who saw a “loading” sign over a java icon pop up and disappear.

The vulnerability was even being sold as part of an exploit kit in the hacker underground market. Find the patch for the hole on Java’s website.

via Forbes; Oracle HQ image via Mark Coggins/Flickr

VB Daily - get the latest in your inbox

Thanks for subscribing. Check out more VB newsletters here.

An error occured.