Oracle patches critical Java vulnerability

Oracle has issued an emergency patch to seal a critical Java vulnerability that allowed hackers to install malicious software on Windows-based systems.

According to ComputerWorld, the vulnerability was first identified by Google security researcher Tavis Ormandy.


“They [Oracle] informed me they do not consider this vulnerability to be of high enough priority to break their quarterly patch cycle,” Ormandy wrote on an April 9 mailing list post. 

“I explained [to them] that I did not agree, and intended to publish advice to temporarily disable the affected control until a solution is available.”

Ormandy responded to Oracle’s patch by noting that company had “completely removed” the vulnerable feature, which was “literally replaced” with return 0.

“A Java Network Launch Protocol (JNLP) file without a codebase parameter, such as the following, will no longer work with the Java SE 6 update 20 release,” Oracle confirmed in an official statement.

“This means that developers must specify the codebase parameter in a JNLP file.”