tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Giles Coochey <>
Subject Re: Java 6u35, 7u07 are available
Date Fri, 31 Aug 2012 15:28:20 GMT
On 31/08/2012 16:22, Jess Holle wrote:
> Well, don't give Oracle too much credit -- or grief.
> According to various articles (look them up, I didn't save the URLs), 
> they were notified of these vulnerabilities ~4 months ago.
> Unfortunately several days ago serious attacks in the wild using these 
> vulnerabilities were discovered -- after which Oracle responded rather 
> quickly.
> So one can give Oracle hell for not triaging these particular 
> vulnerabilities as needing redress far more quickly than 4 months or 
> laud them for fixing the issue quickly once a zero-day attack was 
> found in the wild.  I'd say the reasonable response is somewhere in 
> between and that overall most companies make some mistakes in this 
> area (just look at some of the issue Microsoft has sat on....)
I try not to criticise Oracle or Sun too much, it kind of went from 
'exploit in the wild' to 'very easily obtainable exploit'

I can understand them being vague about the update, but critically 
severe seems an appropriate description.


Giles Coochey, CCNA, CCNAS
NetSecSpec Ltd
+44 (0) 7983 877438

View raw message