How long? How long must we sing this song?

Following in the foot steps of Joseph’s blog “Hacking to the Music”, the lyrics to the U2 song “Sunday Bloody Sunday” come to mind with the latest news of yet another Java vulnerability discovered by the same team of Polish researchers that had originally discovered the previous critical Java vulnerability.

The latest vulnerability, labeled “Issue 50,” was disclosed to Oracle last Tuesday and confirmed by the company. Oracle has stated that the issue will be addressed in a future Java SE Critical Patch Update. The researchers at Security Explorations disclosed 30 vulnerabilities to Oracle in early April, 2012. It wasn’t until other independent researchers discovered two of those vulnerabilities in August that prompted an immediate response from Oracle to address the vulnerabilities. The vulnerabilities were quickly adapted into exploit code used in a wave of online attacks.

Popular software components like Java are common, so there is a high probability that the software will be present on target systems. When security holes are discovered malicious actors will quickly include them in exploit kits such as the popular BlackHole Exploit Kit and use them in web and email based phishing attacks.

The latest flaw was discovered in Oracle’s Java Standard Edition (SE). Proof-of-concept exploit code developed by the researchers allows complete bypass of Java’s security sandbox. The latest hole may actually be more serious than the previous vulnerability because it affects more versions of the Java SE software.

Are we going to be left with disabling Java within our browsers yet again? How long must we sing this song?

See how Solutionary managed security services based on the patented ActiveGuard® service platform combine security intelligence and expertise to provide visibility, threat detection and event response.