Oracle fixes critical hole in Java, may have known about the issue for months

Oracle patched the hole in Java 7 that allows hackers to secretly download malware to your computer today in an uncharacteristic update to its software, according to Forbes. But it seems the company knew about the issue far longer than the rest of us.

Oracle usually only pushes out updates to its Java software on a quarterly basis, and many did not expect the company to provide a patch for this hole. Indeed, researchers suggested people who did not need to use Java should turn it off just in case. But while the patch is a positive step toward protecting Java users, security researchers at Security Explorations are saying that they told Oracle about the issues four months ago.

The security firm released a list of all the vulnerability reports it supposedly sent to Oracle in April, as well as confirmation that the Java creator received the bug reports. In it, Oracle says it received the report, and pushes a code update in June, but “continues to investigate” other existing issues into August.

The vulnerability in Java 7 Runtime allowed malware writers to push viruses to both PC and Mac computers since both are compatible with the software. It reminded researchers of the Java vulnerability that enabled the Flashback virus that forced Mac users to realize that the Apple-made computers are not impervious to malware. Exploits seen in the wild, however, only attacked PC computers, more than likely because PCs are a larger, more profitable market for hackers.

People “caught” the virus by visiting infected websites. The malware executed a download when the webpage opened, and it did not give any signals that it was downloading other than a few people who saw a “loading” sign over a java icon pop up and disappear.

The vulnerability was even being sold as part of an exploit kit in the hacker underground market. Find the patch for the hole on Java’s website.

via Forbes; Oracle HQ image via Mark Coggins/Flickr