1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Emergency Java update fixes two-year-old flaw after researchers bypass old patch

Discussion in 'Network World' started by RSS, Mar 24, 2016.

  1. RSS

    RSS New Member Member

    Oracle has released an emergency Java security update to fix a critical vulnerability that could allow attackers to compromise computers when they visit specially crafted websites.

    The company has assigned CVE-2016-0636 as the identifier for the vulnerability, which suggests that it is a new flaw discovered this year, but that's not really the case.

    Polish security firm Security Explorations confirmed via email that the new Java update actually fixes a broken patch for a vulnerability that was originally reported to Oracle by the company in 2013.

    Earlier this month Security Explorations announced that a patch released by Oracle in October 2013 for a critical vulnerability tracked as CVE-2013-5838 was ineffective and could be trivially bypassed by changing only four characters in the original exploit. This meant that the vulnerability was still exploitable in the latest versions of Java.

    To read this article in full or to leave a comment, please click here

    Continue reading...
     

Share This Page